Hi Phil,
Good points that need discussing but I'd suggest we give the new list a few days to allow folks to subscribe and then have that discussion. Thanks, S. On 06/12/14 16:08, Phil Hunt wrote: > On the surface (as currently presented) this work appears to duplicate the > POP work going on in OAuth. The key difference is that this work is focused > on using ALPN to bind tokens to the TLS channel. From a use case perspective > it is very close to OAuth POP, and a specific use case of the current OAuth > POP (proof of possession) architecture. > > I note that the OAuth WG had originally dropped TLS binding in part because > TLS was not always end-to-end in cases where load-balancers where used. The > identified use-cases required end-to-end proof of possession (e.g. to prevent > token re-use and relaying). > > Never-the-less, events and approaches change and this is worth discussing > (again). > > I think the architectural/protocol issues around the use of load balancers > have to be discussed as the current ALPN proposal may be unbearable for many. > > Phil > > @independentid > www.independentid.com > phil.h...@oracle.com > >> On Dec 5, 2014, at 8:43 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> >> wrote: >> >> >> Hiya, >> >> Following up on the presentation at IETF-91 on this topic, [1] >> we've created a new list [2] for moving that along. The list >> description is: >> >> "This list is for discussion of proposals for doing better than bearer >> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. >> The specific goal is chartering a WG focused on preventing security >> token export and replay attacks." >> >> If you're interested please join in. >> >> Thanks to Vinod and Andrei for agreeing to admin the list. >> >> We'll kick off discussion in a few days when folks have had >> a chance to subscribe. >> >> Cheers, >> S. >> >> PS: Please don't reply-all to this, join the new list, wait >> a few days and then say what you need to say:-) >> >> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf >> [2] https://www.ietf.org/mailman/listinfo/unbearable >> >> _______________________________________________ >> http-auth mailing list >> http-a...@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
