Hi Torsten,
>From what I can see, there are substantial differences in the approaches.
The Security BCP is collecting what should be done with the current toolset
and currently known threats in detail.
The PoP Architecture, on the other hand, categorizes what kind of proof of
possession is conceivable at a much higher level and gives useful names to
label the concepts. They include:
- Threats
- Token manufacture/modification
- Token disclosure
- Token redirect
- Token reuse
- Token repudiation
- Requirements
- A concise summary of seventeen requirements based on RFC 4962
- Threat Mitigation
- Confidentiality Protection
- Sender Constraint
- Key Confirmation
- Architecture
- Client and Authorization Server Interaction
- Symmetric Keys
- Asymmetric Keys
- Client and Resource Server Interaction
- Resource and Authorization Server Interaction (Token Introspection)
Some of them are not covered by Security BCP, but not all. That is only
natural as there are no corresponding specs.
>From what I can see, they serve very different purposes and target
audiences.
Best,
Nat
On Tue, Mar 28, 2023 at 11:32 AM <tors...@lodderstedt.net> wrote:
> Hi Nat,
>
> the Secure BCP defines sender-constrained access tokens and (I think)
> gives a comprehensive description of the attacks prevented by
> sender-constrained access tokens.
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-misuse-of-stolen-access-tok
>
> Do you think there is anything missing?
>
> best regards,
> Torsten.
> Am 27. März 2023, 13:48 +0900 schrieb Nat Sakimura <sakim...@gmail.com>:
>
> Hi Rifaat,
>
> Here is my slides on the OAuth 2.0 Proof-of-Possession (PoP) Security
> Architecture discussion.
> Sorry for being so late in delivering it!
>
> Best,
>
> Nat Sakimura
>
>
> On Sat, Feb 11, 2023 at 9:56 PM Rifaat Shekh-Yusef <
> rifaat.s.i...@gmail.com> wrote:
>
>> Great! I will add it to the list of topics to discuss.
>>
>> Regards,
>> Rifaat
>>
>>
>> On Sat, Feb 11, 2023 at 1:06 AM Nat Sakimura <sakim...@gmail.com> wrote:
>>
>>> Sure, I'll be there.
>>> I can discuss it there.
>>>
>>> 2023年2月10日(金) 21:07 Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>:
>>>
>>>> Nat (off the list),
>>>>
>>>> Will you be attending the meeting in Yokohama?
>>>> If so, would you be interested to discuss this topic with the WG then?
>>>> This could be either during one of the main sessions or one of the side
>>>> meetings, if you prefer.
>>>>
>>>> Regards,
>>>> Rifaat
>>>>
>>>>
>>>>
>>>> On Fri, Feb 10, 2023 at 3:24 AM Nat Sakimura <sakim...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> OAuth 2.0 Proof-of-Possession (PoP) Security Architecture[1] has not
>>>>> progressed and expired since 2017.
>>>>>
>>>>> [1]
>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture-08
>>>>>
>>>>> I just noticed it because I wanted to refer to it in one of the
>>>>> papers I am involved with. IMHO, it has got good information worth
>>>>> making referencable. Has it been an explicit decision to abandon the
>>>>> document, or is it just the result of the priority of the editors and this
>>>>> WG shifted away? Is there an appetite to progress it?
>>>>>
>>>>> Best,
>>>>> --
>>>>> Nat Sakimura
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
--
Nat Sakimura
NAT.Consulting LLC
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
