List, I have submitted an Informational Internet-Draft that may be relevant to discussions on session-based authorization and token trust boundaries:
draft-yossif-psea-01 Post-Session Execution Assurance (PSEA): A Security Model for Verifying Authority at the Moment of Action https://datatracker.ietf.org/doc/draft-yossif-psea/ The core argument: OAuth tokens (and sessions generally) establish identity at login time. They do not establish that the token holder is the authorized human at the moment a sensitive action is executed. This gap is structural, not implementation-specific — it persists regardless of token binding, PKCE, or DPoP. PSEA defines five requirements for closing this gap at execution time: 1. Execution-time proof (not login-time) 2. Human presence assurance 3. Device-bound trust 4. Cryptographic proof independent of session tokens 5. Connectivity independence A reference specification with formal artifacts (JSON Schema, OpenAPI 3.0 verification contract, STRIDE threat model, RFC 6979 test vectors, Python and TypeScript reference verifiers) is maintained at: https://github.com/yuthent/psea-spec I am seeking technical review and critique, specifically: - Whether the authority gap as defined is meaningfully distinct from problems already addressed in the WG (DPoP, RAR, transaction tokens) - Whether the conformance criteria in Appendix B are technically sound - Whether this belongs in a different area or WG I recognize this list focuses on OAuth-specific work. If PSEA is better suited for SAAG or another venue, I welcome that guidance. Mohamad Khalil Yossif Yuthent [email protected] https://yuthent.com/psea Mohamad Khalil Yossif CEO – Yuthent Founder – SwiftCrew, MK Digital, MK Electronics T: +972 50-931-1103 <tel:+972509311103> E: [email protected] <mailto:[email protected]> W: yuthent.com <https://yuthent.com/> <https://www.linkedin.com/in/mohamad-khalil-yossif-4b9781163/> <https://yuthent.com/> This email may contain confidential or sensitive information. If you are not the intended recipient, any review, use, disclosure, distribution, or copying is prohibited. If you received this message in error, please delete it immediately.
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
