On 25/04/14 10:23, Hannes Tschofenig wrote:
Good question. The architecture allows different mechanisms to be used
for proof-of-possession between the client and the resource server.
With the publication of draft-richer-oauth-signed-http-request-01 we
have a version that uses a JOSE-based encoding. I have not had time to
illustrate how the MAC-based version would fit in there.
OAuth2 is very open to supporting all sort of access token types.
Hopefully PoP model will not be made exclusive for JWT only, it won't be
very OAuth2 friendly IMHO...
Cheers, Sergey
On 04/25/2014 10:42 AM, Sergey Beryozkin wrote:
Hi Hannes
Is the MAC token effort you were leading still on the map ?
Thanks, Sergey
On 24/04/14 20:42, Hannes Tschofenig wrote:
Btw, the HTTP signature mechanism now also got published as
http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01
I think we now have a pretty good collection of documents to look at.
Ciao
Hannes
On 04/24/2014 06:40 PM, Hannes Tschofenig wrote:
Hi Lewis,
good that you ask.
In the London IETF meeting we have proposed a plan on how to proceed
with the proof-of-possession (PoP) work.
John had already explained that the main document is
draft-hunt-oauth-pop-architecture-00. It pains the big picture and
points to the relevant documents, in particular to
a) draft-bradley-oauth-pop-key-distribution
b) draft-jones-oauth-proof-of-possession
c) a not-yet-published HTTP signature mechanism.
(a) explains how the client obtains keys from the authorization server.
(b) describes a mechanism for binding a key to the access token.
(c) illustrates the procedure for the client to interact with the
resource server (based on the PoP mechanism).
These documents replace prior work on draft-ietf-oauth-v2-http-mac-05
and draft-tschofenig-oauth-hotk-03.
We are getting closer to have all relevant parts published.
Ciao
Hannes
On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote:
Hi,
Lots of crypto drafts on OAuth popping up that I need to come up to
speed on.
draft-bradley-oauth-pop-key-distribution-00
<http://datatracker.ietf.org/doc/draft-bradley-oauth-pop-key-distribution/>
draft-hunt-oauth-pop-architecture-00
<http://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/>
draft-jones-oauth-proof-of-possession-00
<http://datatracker.ietf.org/doc/draft-jones-oauth-proof-of-possession/>
draft-sakimura-oauth-rjwtprof-01
<http://datatracker.ietf.org/doc/draft-sakimura-oauth-rjwtprof/>
draft-sakimura-oauth-tcse-03
<http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse/>
draft-tschofenig-oauth-hotk-03
<http://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/>
Glad to see all the work, but is there a preferred reading order here?
Which ones build on each other vs. which ones are out there on their
own?
-adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
