Re: [OAUTH-WG] JWT Destination Claim

2015-03-25 Thread Brian Campbell
Tony, thanks as always for your thoughtful, well reasoned, and helpful comments. I'm well aware of the potential for confusion, which is why I endeavored to address the differences between aud and dst with text in the draft. I do appreciate your permission to use it ourselves and I'll be sure to

Re: [OAUTH-WG] JWT Destination Claim

2015-03-25 Thread Anthony Nadalin
There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with Sent from my Windows Phone From: Brian Campbell

Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02

2015-03-25 Thread Nat Sakimura
I have refreshed the draft which talks about what is being discussed in Section 3 paragraph 2 as: http://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-03 It just talks about Sender Constraint now, dropping all the

Re: [OAUTH-WG] Meeting Room for Token Exchange Discussion Tonight

2015-03-25 Thread Phil Hunt
Unfortunately there is another BOF at 7:30. So I will have to pass. Phil @independentid www.independentid.com phil.h...@oracle.com > On Mar 25, 2015, at 3:24 PM, Hannes Tschofenig > wrote: > > I reserved a meeting room for us. We will be in **Royal**. > > >

[OAUTH-WG] Meeting Room for Token Exchange Discussion Tonight

2015-03-25 Thread Hannes Tschofenig
I reserved a meeting room for us. We will be in **Royal**. signature.asc Description: OpenPGP digital signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JWT Destination Claim

2015-03-25 Thread Brian Campbell
FWIW, I did have that as an open issue in the draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A Though the way I worded it probably shows my bias. On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones wrote: > Thanks for posting this, Brian. To get it down on the list, I’ll r

Re: [OAUTH-WG] JWT Destination Claim

2015-03-25 Thread Mike Jones
Thanks for posting this, Brian. To get it down on the list, I’ll repeat my comment made in person that just as “aud” used to be single-valued and ended up being multi-valued, I suspect some applications would require the same thing of “dst” – at least when “aud” and “dst” are different. And ev

[OAUTH-WG] JWT Destination Claim

2015-03-25 Thread Brian Campbell
Here are the slides that I rushed though at the end of the Dallas meeting: https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf And the -00 draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 In an informal discussion earlier this week John B. suggested that some additio

[OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-27.txt

2015-03-25 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 Dynamic Client Registration Protocol Authors : Justin Richer

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

2015-03-25 Thread John Bradley
Sure no problem:) > On Mar 25, 2015, at 10:42 AM, Brian Campbell > wrote: > > Yeah, sorry, I misspoke (this stuff isn't easy). The presenter doesn't > confirm. The presenter presents the token along with something that proves > possession, which allows the recipient to confirm. My original gr

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

2015-03-25 Thread Brian Campbell
Yeah, sorry, I misspoke (this stuff isn't easy). The presenter doesn't confirm. The presenter presents the token along with something that proves possession, which allows the recipient to confirm. My original grip with both texts is that they seem to suggests that the presenter makes the declaratio

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

2015-03-25 Thread Justin Richer
Agree that this language isn’t clear. The presenter doesn’t confirm the claim either, the presenter never even looks for it (unless the presenter is the issuer, which is a special and hopefully rare case). That’s why the key is delivered to the presenter in parallel with the token. It’s the RS t

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

2015-03-25 Thread Nat Sakimura
My take is that the presenter presents the token with cnf claim and some kind of proof of possession of the material that cnf claim refers to. It is the recipient that "confirms" or "verifies" the claim made by the authorized presenter is correct. 2015-03-25 23:37 GMT+09:00 Brian Campbell : > The

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

2015-03-25 Thread Brian Campbell
There's similar wording in sec 3.3 too that seems to suggest that the presenter is the one that makes the claim. I think the presenter confirms the claim when it presents. It's the issuer that makes/asserts/declares

[OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02

2015-03-25 Thread Nat Sakimura
Dear OAuthers: Here is my belated review comments on draft-ietf-oauth-proof-of-possession-02 Below, [POPA] stands for https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01 Abstract It is probably better to spell out that this document is describing the JWT format that can