Re: [OAUTH-WG] PoP Key Distribution

Tue, 03 Jul 2018 23:56:44 -0700 

On 2018-07-03 21:46, Hannes Tschofenig wrote:

Hi all,


....
Where should the parameters needed for PoP key distribution should be defined? Currently, they are defined in two places -- in https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. In particular, the audience and the token_type parameters are defined in both specs.
IMHO it appears that OAuth would be the best place to define the HTTP-based parameters. ACE could define the IoT-based protocols, such as CoAP, MQTT, and alike. Of course, this is subject for discussion, particularly if there is no interest in doing so in the OAuth working group.
I fully agree that OAuth would be the best place. I've only drawn some of these parameters into draft-ietf-ace-oauth-authz because the work on draft-ietf-oauth-pop-key-distribution seemed to have been discontinued (it expired August 2017). That said, I'd hate to introduce a normative dependency into draft-ietf-ace-oauth-authz on a document that will not move forward or only move very slowly. What are the prospects of going forward quickly with draft-ietf-oauth-pop-key-distribution?
There is also a misalignment in terms of the content.. draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, which does not exist in the draft-ietf-ace-oauth-authz document. The draft-ietf-ace-oauth-authz document does, however, have a profile parameter, which does not exist in draft-ietf-oauth-pop-key-distribution. Some alignment is therefore needed. In the meanwhile the work on OAuth meta has been finalized and
It seems indeed that 'alg' and 'profile' parameters have some overlap, although 'alg' seemed a bit more narrow to me (which is why I created 'profile'). If we could extend the definition of 'alg' a bit, I'd be OK to remove 'profile' from the ACE draft (provided the OAuth draft moves forward in a timely manner). 


/Ludwig

--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to