While the tokbind seems strategic, there are concerns about universality. A chief barrier is getting all tls termination points to support - a matter of substantial time.
There are also those that argue that we still need an app layer end-to-end solution that pop provides. That said, I am not sure pop is that useful without some form of request/response signing solution. I hate to say this but maybe we have to go with some form of encapsulation? Eg a signed http request within an http request? Ugh! Phil > On Oct 19, 2016, at 12:04 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > > 1. We should continue the PoP work in the OAuth working group and not move > it to ACE. (This was also discussed in the minutes at > https://www.ietf.org/proceedings/96/minutes/minutes-96-oauth.) > > 2. We should abandon the HTTP signing work. It is both overly complicated > *and* incomplete - not a good combination. This same combination is what let > people to abandon OAuth 1.0 in favor of WRAP and later OAuth 2.0. We should > learn from our own mistakes. ;-) > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Wednesday, October 19, 2016 2:45 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] Future of PoP Work > > Hi all, > > two questions surfaced at the last IETF meeting, namely > > 1) Do we want to proceed with the symmetric implementation of PoP or, > alternatively, do we want to move it over to the ACE working group? > > 2) Do we want to continue the work on HTTP signing? > > We would appreciate your input on these two questions. > > Ciao > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth