I don’t believe that this is a useful spec without meaningful key presentation mechanisms.
— Justin > On Jul 5, 2018, at 11:04 AM, Mike Jones > <Michael.Jones=40microsoft....@dmarc.ietf.org> wrote: > > I'm fine putting some bandwidth into finishing OAuth PoP Key Distribution - > particularly now that OAuth AS Metadata is finally done. I know that Hannes > is willing to do so as well. > > -- Mike > > -----Original Message----- > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Ludwig Seitz > Sent: Tuesday, July 3, 2018 11:56 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] PoP Key Distribution > > On 2018-07-03 21:46, Hannes Tschofenig wrote: >> Hi all, >> > ..... >> Where should the parameters needed for PoP key distribution should be >> defined? Currently, they are defined in two places -- in >> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in >> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. >> In particular, the audience and the token_type parameters are defined >> in both specs. >> >> IMHO it appears that OAuth would be the best place to define the >> HTTP-based parameters. ACE could define the IoT-based protocols, such >> as CoAP, MQTT, and alike. Of course, this is subject for discussion, >> particularly if there is no interest in doing so in the OAuth working >> group. >> > > I fully agree that OAuth would be the best place. I've only drawn some of > these parameters into draft-ietf-ace-oauth-authz because the work on > draft-ietf-oauth-pop-key-distribution seemed to have been discontinued (it > expired August 2017). > That said, I'd hate to introduce a normative dependency into > draft-ietf-ace-oauth-authz on a document that will not move forward or only > move very slowly. What are the prospects of going forward quickly with > draft-ietf-oauth-pop-key-distribution? > >> There is also a misalignment in terms of the content.. >> draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, >> which does not exist in the draft-ietf-ace-oauth-authz document. The >> draft-ietf-ace-oauth-authz document does, however, have a profile >> parameter, which does not exist in >> draft-ietf-oauth-pop-key-distribution. Some alignment is therefore >> needed. In the meanwhile the work on OAuth meta has been finalized and > > It seems indeed that 'alg' and 'profile' parameters have some overlap, > although 'alg' seemed a bit more narrow to me (which is why I created > 'profile'). If we could extend the definition of 'alg' a bit, I'd be OK to > remove 'profile' from the ACE draft (provided the OAuth draft moves forward > in a timely manner). > > > /Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE SICS > Phone +46(0)70-349 92 51 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
