On the surface (as currently presented) this work appears to duplicate the POP work going on in OAuth. The key difference is that this work is focused on using ALPN to bind tokens to the TLS channel. From a use case perspective it is very close to OAuth POP, and a specific use case of the current OAuth POP (proof of possession) architecture.
I note that the OAuth WG had originally dropped TLS binding in part because TLS was not always end-to-end in cases where load-balancers where used. The identified use-cases required end-to-end proof of possession (e.g. to prevent token re-use and relaying). Never-the-less, events and approaches change and this is worth discussing (again). I think the architectural/protocol issues around the use of load balancers have to be discussed as the current ALPN proposal may be unbearable for many. Phil @independentid www.independentid.com phil.h...@oracle.com > On Dec 5, 2014, at 8:43 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > Hiya, > > Following up on the presentation at IETF-91 on this topic, [1] > we've created a new list [2] for moving that along. The list > description is: > > "This list is for discussion of proposals for doing better than bearer > tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. > The specific goal is chartering a WG focused on preventing security > token export and replay attacks." > > If you're interested please join in. > > Thanks to Vinod and Andrei for agreeing to admin the list. > > We'll kick off discussion in a few days when folks have had > a chance to subscribe. > > Cheers, > S. > > PS: Please don't reply-all to this, join the new list, wait > a few days and then say what you need to say:-) > > [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf > [2] https://www.ietf.org/mailman/listinfo/unbearable > > _______________________________________________ > http-auth mailing list > http-a...@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
