MFW
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Morteza Ansari
(moransar)
Sent: Tuesday, March 4, 2014 10:34 AM
To: Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management
Work
WFM too.
On 3/4/14
WFM too.
On 3/4/14 6:04 PM, "Hannes Tschofenig" wrote:
>Hi all,
>
>at today's OAuth meeting I suggested to get together during the week to
>continue our conversation about draft-ietf-oauth-dyn-reg-management-00,
>which dominated our conversation at the meeting today.
>
>I would suggest to get to
WFM too
On Tue, Mar 4, 2014 at 6:13 PM, Phil Hunt wrote:
> WFM
>
> Phil
>
>> On Mar 4, 2014, at 18:04, Hannes Tschofenig
>> wrote:
>>
>> Hi all,
>>
>> at today's OAuth meeting I suggested to get together during the week to
>> continue our conversation about draft-ietf-oauth-dyn-reg-management-0
WFM
Phil
> On Mar 4, 2014, at 18:04, Hannes Tschofenig wrote:
>
> Hi all,
>
> at today's OAuth meeting I suggested to get together during the week to
> continue our conversation about draft-ietf-oauth-dyn-reg-management-00,
> which dominated our conversation at the meeting today.
>
> I would
FYI: Here is the summary I sent to the SAAG list.
Original Message
Subject: IETF#89 OAuth Meeting Summary
Date: Tue, 04 Mar 2014 17:59:00 +0100
From: Hannes Tschofenig
To: s...@ietf.org
This morning we had our OAuth working group meeting and here is a short
summary of the disc
Hi all,
at today's OAuth meeting I suggested to get together during the week to
continue our conversation about draft-ietf-oauth-dyn-reg-management-00,
which dominated our conversation at the meeting today.
I would suggest to get together on **Thursday, at 11:30** (for lunch) at
the IETF registra
Keeping the conversation from this morning going…
This morning I raised the issue that it is not clear to my as to why a client
would need to "manage" its registration (note: I think this analysis applies
equally to both the the management draft and the earlier SCIM profile I
published). What w
Section 3.2.1 talks about the need for and benefits of confidential
clients. For Auth Code Grants, can't public clients be as safe as
confidential clients if:
* HTTPS is being used for all communication
* Valid redirect_uri patterns are registered at the Auth Server for the
public clients
* A
To this, I'll add that the OpenID Connect ID Token specification at
http://openid.net/specs/openid-connect-core-1_0.html#IDToken adds this,
prohibiting the use of header parameters to communicate the keys:
ID Tokens SHOULD NOT use the JWS or JWE x5u, x5c, jku, or jwk header parameter
fields.
I might be suffering from a touch of confirmation bias but I think
this underscores what I was trying to say near the end of the JOSE
session in Vancouver during the "key finding algorithm" discussion.
Namely that finding a key is not the same as trusting a key and that
I'm concerned that explainin
10 matches
Mail list logo
