Re: [OAUTH-WG] PoP Key Distribution

Thu, 05 Jul 2018 08:05:31 -0700 

I'm fine putting some bandwidth into finishing OAuth PoP Key Distribution - 
particularly now that OAuth AS Metadata is finally done.  I know that Hannes is 
willing to do so as well.

                                -- Mike

-----Original Message-----
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Ludwig Seitz
Sent: Tuesday, July 3, 2018 11:56 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] PoP Key Distribution

On 2018-07-03 21:46, Hannes Tschofenig wrote:
> Hi all,
> 
.....
> Where should the parameters needed for PoP key distribution should be 
> defined? Currently, they are defined in two places -- in
> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in 
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. 
> In particular, the audience and the token_type parameters are defined 
> in both specs.
> 
> IMHO it appears that OAuth would be the best place to define the 
> HTTP-based parameters. ACE could define the IoT-based protocols, such 
> as CoAP, MQTT, and alike. Of course, this is subject for discussion, 
> particularly if there is no interest in doing so in the OAuth working 
> group.
> 

I fully agree that OAuth would be the best place. I've only drawn some of these 
parameters into draft-ietf-ace-oauth-authz because the work on 
draft-ietf-oauth-pop-key-distribution seemed to have been discontinued (it 
expired August 2017).
That said, I'd hate to introduce a normative dependency into 
draft-ietf-ace-oauth-authz on a document that will not move forward or only 
move very slowly. What are the prospects of going forward quickly with 
draft-ietf-oauth-pop-key-distribution?

> There is also a misalignment in terms of the content.. 
> draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, 
> which does not exist in the draft-ietf-ace-oauth-authz document. The 
> draft-ietf-ace-oauth-authz document does, however, have a profile 
> parameter, which does not exist in 
> draft-ietf-oauth-pop-key-distribution. Some alignment is therefore 
> needed. In the meanwhile the work on OAuth meta has been finalized and

It seems indeed that 'alg' and 'profile' parameters have some overlap, although 
'alg' seemed a bit more narrow to me (which is why I created 'profile').  If we 
could extend the definition of 'alg' a bit, I'd be OK to remove 'profile' from 
the ACE draft (provided the OAuth draft moves forward in a timely manner).


/Ludwig

--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to