Hi Hannes, Thanks for pointing out the specific documents that you have in mind.
Token Binding can be used with any application protocols that use security tokens, and OAuth is one example. We can certainly talk about the use of the Token Binding protocol with OAuth tokens. Cheers, Andrei -----Original Message----- From: Uta [mailto:[email protected]] On Behalf Of Hannes Tschofenig Sent: Tuesday, November 11, 2014 3:33 PM To: Watson Ladd; Peter Saint-Andre - &yet Cc: [email protected] Subject: Re: [Uta] Token Binding Watson, On 11/12/2014 01:36 AM, Watson Ladd wrote: > What exactly is being copied? RFC 6749 doesn't provide a way to ensure > cookie stealing doesn't happen. Access tokens aren't bound, so a > mechanism needs to be provided to bind them. I don't see where the > conflict with OAuth is. The work to look at is called 'proof-of-possession': http://datatracker.ietf.org/wg/oauth/documents/ A good starting point is this document: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ Ciao Hannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
