Eric,
This feels a bit like WebID<http://www.w3.org/2005/Incubator/webid/spec/> - except the client's public key is used to verify a message they signed, rather than a TLS tunnel they established. Both identify the client by a URI that delivers a certificate. Your Cloud-to-On-Premise flow, WebID, and OpenID really need to use HTTPS URIs as identities to be secure. However, your sample app<https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app> has an HTTP id http://app-identity-java.appspot.com/certs. Was this an oversight, or isn't security of this system supposed to depend on how the app's self-signed short-lived (daily) certificate is obtained? -- James Manger From: [email protected] [mailto:[email protected]] On Behalf Of Eric Sachs Sent: Thursday, 7 April 2011 5:43 AM To: [email protected] Subject: [woes] Native JWT support in Google App Engine Google has just added native support for JWT to Google App Engine. Here is the documentation: https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app Our hope is to work with other players in the cloud computing space to improve some elements of cloud security by using PKI, JWT & OAuth2 for interop between our systems. Based on past industry discussion, we wroteup a description of some of the general interop use-cases: https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud While this new feature in Google App Engine is a significant step for Google, we realize there is more to do on our side such as adding support for JWT assertions in our recently announced OAuth2 support for Google APIs<http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html>. However we would prefer to get feedback from this group on a standard approach, including around key rotation/management. Eric Sachs Senior Product Manager, Internet Identity Google
_______________________________________________ woes mailing list [email protected] https://www.ietf.org/mailman/listinfo/woes
