I'm fine putting some bandwidth into finishing OAuth PoP Key Distribution -
particularly now that OAuth AS Metadata is finally done. I know that Hannes is
willing to do so as well.
-- Mike
-----Original Message-----
From: OAuth <[email protected]> On Behalf Of Ludwig Seitz
Sent: Tuesday, July 3, 2018 11:56 PM
To: [email protected]
Subject: Re: [OAUTH-WG] PoP Key Distribution
On 2018-07-03 21:46, Hannes Tschofenig wrote:
> Hi all,
>
.....
> Where should the parameters needed for PoP key distribution should be
> defined? Currently, they are defined in two places -- in
> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03.
> In particular, the audience and the token_type parameters are defined
> in both specs.
>
> IMHO it appears that OAuth would be the best place to define the
> HTTP-based parameters. ACE could define the IoT-based protocols, such
> as CoAP, MQTT, and alike. Of course, this is subject for discussion,
> particularly if there is no interest in doing so in the OAuth working
> group.
>
I fully agree that OAuth would be the best place. I've only drawn some of these
parameters into draft-ietf-ace-oauth-authz because the work on
draft-ietf-oauth-pop-key-distribution seemed to have been discontinued (it
expired August 2017).
That said, I'd hate to introduce a normative dependency into
draft-ietf-ace-oauth-authz on a document that will not move forward or only
move very slowly. What are the prospects of going forward quickly with
draft-ietf-oauth-pop-key-distribution?
> There is also a misalignment in terms of the content..
> draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter,
> which does not exist in the draft-ietf-ace-oauth-authz document. The
> draft-ietf-ace-oauth-authz document does, however, have a profile
> parameter, which does not exist in
> draft-ietf-oauth-pop-key-distribution. Some alignment is therefore
> needed. In the meanwhile the work on OAuth meta has been finalized and
It seems indeed that 'alg' and 'profile' parameters have some overlap, although
'alg' seemed a bit more narrow to me (which is why I created 'profile'). If we
could extend the definition of 'alg' a bit, I'd be OK to remove 'profile' from
the ACE draft (provided the OAuth draft moves forward in a timely manner).
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
