I believe that the PoP work should stay in the working group, and that without a usable presentation mechanism such as an HTTP message signature the whole work is pointless. I agree with Mike that we should learn from our own mistakes — and that is precisely the direction that the current HTTP signing draft took. As a result, the base level of functionality is signing the token itself (with a timestamp/nonce) using the key. All of the fiddly HTTP bits that trip people up? Not only are they optional, but it’s explicitly declared what’s covered. Why? Because we’re learning from past mistakes.
I think that token binding is relying on a lot of “ifs” that aren’t real yet, and if those “ifs” become reality then it will be to the benefit of large internet companies over everyone else. Additionally, token binding in OAuth is far from the simple solution that it’s being sold as. The very nature of an access token goes against the original purpose of tying an artifact to a single presentation channel. OAuth clients in the real world need to be able to deal with multiple resource servers and dynamically deployed APIs, and the token binding protocol fundamentally assumes a world where two machines are talking directly to each other. All that said, this working group has consistently shown resistance to solving this problem for many years, so the results of this query don’t at all surprise me. — Justin > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> > wrote: > > Hi all, > > two questions surfaced at the last IETF meeting, namely > > 1) Do we want to proceed with the symmetric implementation of PoP or, > alternatively, do we want to move it over to the ACE working group? > > 2) Do we want to continue the work on HTTP signing? > > We would appreciate your input on these two questions. > > Ciao > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
