I've replied on the OAuth mailing list. You can join it at https://www.ietf.org/mailman/listinfo/oauth to participate in the discussion.
From: Ace <ace-boun...@ietf.org> On Behalf Of Hannes Tschofenig Sent: Tuesday, July 3, 2018 12:47 PM To: ace@ietf.org Subject: [Ace] FW: PoP Key Distribution Note that I posted a mail to the OAuth list about the PoP key distribution, which also relates to the work on ACE-OAuth. If you are interested in this topic please feel free to join the discussion on the OAuth mailing list. From: Hannes Tschofenig Sent: 03 July 2018 21:46 To: oa...@ietf.org<mailto:oa...@ietf.org> Subject: PoP Key Distribution Hi all, we have been working on an update for the draft-ietf-oauth-pop-key-distribution document in time for the deadline but we noticed several issues that are worthwhile to bring to your attention. draft-ietf-oauth-pop-key-distribution defines a mechanism that allows the client to talk to the AS to request a PoP access token and associated keying material. There are two other groups in the IETF where this concept is used. * The guys working on RTCWEB is the first. Misi (Mészáros Mihály) has been helping us to understand their needs. They have defined their own token format, which has been posted on the OAuth group a while ago for review. * The other group is ACE with their work on an OAuth-based profile for IoT. Where should the parameters needed for PoP key distribution should be defined? Currently, they are defined in two places -- in https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. In particular, the audience and the token_type parameters are defined in both specs. IMHO it appears that OAuth would be the best place to define the HTTP-based parameters. ACE could define the IoT-based protocols, such as CoAP, MQTT, and alike. Of course, this is subject for discussion, particularly if there is no interest in doing so in the OAuth working group. There is also a misalignment in terms of the content.. draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, which does not exist in the draft-ietf-ace-oauth-authz document. The draft-ietf-ace-oauth-authz document does, however, have a profile parameter, which does not exist in draft-ietf-oauth-pop-key-distribution. Some alignment is therefore needed. In the meanwhile the work on OAuth meta has been finalized and could potentially be re-used. When the work on draft-ietf-oauth-pop-key-distribution was initially started there was only a single, standardized token format, namely the JWT. Hence, it appeared reasonable to use the JWT keying structure for delivering keying material from the AS to the client. In the meanwhile two other formats have been standardized, namely RFC 7635 and the CWT. For use with those specs it appears less ideal to transport keys from the AS to the client using the JSON/JOSE-based format. It would be more appropriate to use whatever PoP token format is used instead. Currently, this hasn't been considered yet. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
