Some initial feedback upon a quick read (with no background context for
this issue):
[...]
that up again and see if that interim can get scheduled soon. I’d
also like to encourage people to read through the draft and open the
discussion here on the list more.
* What is the point of using the word "deferred" in this case? Is the
"key binding" made at some future time? Why? What value does that bring?
Until when is it deferred?
* Might we enumerate the mechanisms by which you might "trust me, bruh"
if not by PoP?
* How is this _not_ just effectively a bearer token then?
- johnk
El 06/05/25 a las 12:45, Justin Richer escribió:
Hi Chairs and WG,
Back in Bangkok, we presented the draft https://datatracker.ietf.org/
doc/draft-richer-oauth-tmb-claim/ that introduces, in a concrete
way, the notion of getting a token bound to a key that you don’t
possess. As we discussed, this is a topic that keeps coming up in
the OAuth space and is usually dutifully pushed aside for the sake
of simplicity (and some would argue sanity).
The chairs mentioned pulling together an interim meeting for the
OAuth WG for us to discuss this topic ahead of Madrid, to see if
there was anything more we as a community want to do with it. As
we’re now more than halfway between the meetings, we wanted to bring
that up again and see if that interim can get scheduled soon. I’d
also like to encourage people to read through the draft and open the
discussion here on the list more.
— Justin _______________________________________________ OAuth
mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-
le...@ietf.org
--
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudo...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org