Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-device-flow-12: (with DISCUSS)

[Adam Roach]

Thanks. I have entered a ballot of "no objection."

/a

On 10/19/18 4:15 PM, William Denniss wrote:

Adam,

Thank you for your feedback and pointers, version 13 should fully 
address your feedback.  Comments inline:


On Wed, Aug 1, 2018 at 5:43 PM, Adam Roach > wrote:



--
DISCUSS:
--

Thanks to the authors for addressing my comments and half of my
DISCUSS.
This final issue appears to remain unaddressed:

§3.1:

>  The client initiates the flow by requesting a set of verification
>  codes from the authorization server by making an HTTP "POST"
request
>  to the device authorization endpoint.  The client constructs the
>  request with the following parameters, encoded with the
"application/
>  x-www-form-urlencoded" content type:

This document needs a normative citation for this media type.

My suggestion would be to cite REC-html5-20141028 section
4.10.22.6, as this
appears to be the most recent stable description of how to encode
this media
type. I'd love to hear rationale behind other citations being more
appropriate,
since I'm not entirely happy with the one I suggest above (given
that it's been
superseded by HTML 5.2); but every other plausible citation I can
find is even
less palatable (with HTML 5.2 itself having the drawback of not
actually
defining how to encode the media type, instead pointing to an
unstable,
unversioned document).


Thank you for the advice. I've struggled with this one myself. HTML 
5.2 like you say links to an unstable and unversioned document (albeit 
one that is readable and pleasant for implementors). I wish they had a 
proper stable reference, it seems odd to normatively reference 
something that isn't stable to me, but what can we do?


I went with the exact reference you suggested, it's in version 13.

Best,
William



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-distributed-01.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : Distributed OAuth
Authors : Dick Hardt
  Brian Campbell
  Nat Sakimura
Filename: draft-ietf-oauth-distributed-01.txt
Pages   : 9
Date: 2018-10-19

Abstract:
   The Distributed OAuth profile enables an OAuth client to discover
   what authorization server or servers may be used to obtain access
   tokens for a given resource, and what parameter values to provide in
   the access token request.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-distributed/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-distributed-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-distributed-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-distributed-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-reciprocal-01.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : Reciprocal OAuth
Author  : Dick Hardt
Filename: draft-ietf-oauth-reciprocal-01.txt
Pages   : 5
Date: 2018-10-19

Abstract:
   There are times when a user has a pair of protected resources that
   would like to request access to each other.  While OAuth flows
   typically enable the user to grant a client access to a protected
   resource, granting the inverse access requires an additional flow.
   Reciprocal OAuth enables a more seamless experience for the user to
   grant access to a pair of protected resources.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-reciprocal/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-reciprocal-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-reciprocal-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-reciprocal-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-distributed-00.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : Distributed OAuth
Authors : Dick Hardt
  Brian Campbell
  Nat Sakimura
Filename: draft-ietf-oauth-distributed-00.txt
Pages   : 9
Date: 2018-10-19

Abstract:
   The Distributed OAuth profile enables an OAuth client to discover
   what authorization server or servers may be used to obtain access
   tokens for a given resource, and what parameter values to provide in
   the access token request.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-distributed/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-distributed-00
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-distributed-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-device-flow-11: (with DISCUSS and COMMENT)

[William Denniss]

Hi Benjamin,

Thank you for your detailed review, and suggestions. Version 13 was just
posted, and incorporates your suggestions and feedback.

Replies inline:

On Thu, Aug 2, 2018 at 5:21 PM, Benjamin Kaduk  wrote:

> On Wed, Aug 01, 2018 at 05:16:52PM -0700, William Denniss wrote:
> > Benjamin,
> >
> > Thank you for the feedback. We just posted version 12 which addresses
> many
> > of your feedback points. Replies inline.
> >
> > On Tue, Jul 24, 2018 at 6:31 AM, Benjamin Kaduk  wrote:
> >
> > >
> > > --
> > > DISCUSS:
> > > --
> > >
> > > Let me preface this by noting that I'm not sure that all of these
> points
> > > are actionable; I would, however, like to discuss them.
> > >
> > > I'm really unhappy to not see any hard numbers on the entropy needed
> > > in a user code to provide a reasonable security margin with given
> > > parameters, and how it compares to the guessability bounds considered
> best
> > > practices in general (across protocols).  For example, we think 128-bit
> > > symmetric keys are okay because an attacker has to put in 2**96 work to
> > > have a 2**-32 chance of guessing correctly via brute force; the rate
> > > limiting and finite lifetime on the user code places an artificial
> limit on
> > > the amount of work an attacker can "do", so if one uses a 8-character
> > > base-20 user code (with roughly 34.5 bits of entropy), the
> rate-limiting
> > > interval and validity period would need to only allow 5 attempts in
> order
> > > to get the same 2**-32 probability of success by random guessing.
> > > Section 5.1 would be a great place for such text, near the preexisting:
> > >The user code SHOULD have enough entropy that when combined with
> rate
> > >limiting and other mitigations makes a brute-force attack
> infeasible.
> > >
> > >
> > Thank you for the comment, the authors are still considering the right
> way
> > to address this feedback.
> >
> >
> >
> > > We talk about "the authorization server", but any given *user* may
> have a
> > > relationship with multiple such ASes.  Can the Introduction make it
> more
> > > clear that the AS is associated with the device/client, and as such the
> > > it may not be the user's most-trusted AS?
> > >
> >
> > Sometimes the device is really an app on the device. E.g. a Roku TV
> device
> > (a "tv stick") that has several apps. Hulu, where the AS is hulu, and
> > YouTube, where the AS is YouTube (these are both "first party" use-cases
> > where the app and the AS are owned by the same entity). The user may also
> > have a Canon printer, which has a device flow to Google, to authorize it
> to
> > print documents (a "third-party" use-case).
> >
> > I'm not sure exactly what we should say in the introduction to address
> you
> > feedback here.
>
> The document text is currently referring to a single AS (the definite
> article "the" in "the authorization server" as if everyone knows which one
> to use as a prerequisite of using this flow.  That is presumably true for
> the devices in question, but it's not necessarily true for the reader of
> the spec.  So, I'd propose to say something like "connect to the device's
> authorization server to approve the access request" or "connect to the
> authorization server that the device trusts to mediate authorization
> decisions".  (Gosh, it's hard to write the second one without using
> "grant"!)
>

I added a section in the introduction to clarify the relationship of the
device to the AS:

   The device typically chooses the set of authorization servers to
   support (i.e., its own authorization server, or those by providers it
   has relationships with).  It is not uncommon for the device
   application to support only a single authorization server, such as
   with a TV application for a specific media provider that supports
   only that media provider's authorization server.  The user may not
   have an established relationship yet with that authorization

   provider, though one can potentially be set up during the
   authorization flow.


Does that improve the understanding of this concept? I can add the text
your propose directly too.


>
> > It also seems like a large latent risk with this flow is when the
> > > verification_uri_complete response is used along with an AS that
> assumes an
> > > authenticated user making such a verification request has approved the
> > > authorization (i.e., without an explicit user interaction to confirm),
> when
> > > that AS uses cookies or other persistent state to keep the user
> > > authenticated across multiple requests.  I could not find any
> MUST-level
> > > requirement for user interaction to confirm the device being authorized
> > > (even in Section 3.3, which covers the regular verificat_uri
> workflow!);
> > > please let me know if I missed something.  I would like to see some
> > > explicit text that (matching

[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-13.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Device Flow for Browserless and Input 
Constrained Devices
Authors : William Denniss
  John Bradley
  Michael B. Jones
  Hannes Tschofenig
Filename: draft-ietf-oauth-device-flow-13.txt
Pages   : 21
Date: 2018-10-19

Abstract:
   This OAuth 2.0 authorization flow is designed for devices that either
   lack a browser to perform a user-agent based OAuth flow, or are
   input-constrained to the extent that requiring the user to input a
   lot of text (like their credentials to authenticate with the
   authorization server) is impractical.  It enables OAuth clients on
   such devices (like smart TVs, media consoles, digital picture frames,
   and printers) to obtain user authorization to access protected
   resources without using an on-device user-agent, provided that they
   have an Internet connection.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-13

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-13


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 103

["IETF Secretariat"]

Dear Rifaat Shekh-Yusef,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by
the original request. 


oauth Session 1 (1:30 requested)
Monday, 5 November 2018, Morning Session I 0900-1100
Room Name: Meeting 2 size: 150
-
oauth Session 2 (1:30 requested)
Tuesday, 6 November 2018, Morning Session II 1120-1220
Room Name: Meeting 1 size: 150
-


iCalendar: https://datatracker.ietf.org/meeting/103/sessions/oauth.ics

Request Information:


-
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Rifaat Shekh-Yusef

Number of Sessions: 2
Length of Session(s):  1.5 Hours, 1.5 Hours
Number of Attendees: 50
Conflicts to Avoid: 
 First Priority: secevent teep suit core tls ace tokbind saag




People who must be present:
  Eric Rescorla
  Hannes Tschofenig

Resources Requested:

Special Requests:
  
-

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-resource-indicators-01.txt

[Brian Campbell]

A bit overdue but still before the impending Internet Draft submission
cut-off date, -01 of Resource Indicators for OAuth 2.0 has been published.
A summary of the changes, copied from the Document History, are listed
below.

draft-ietf-oauth-resource-indicators-01
o  Significant rework of the main section of the document attempting
   to clarify a number of things that came up at, around and after
   IETF 102 and the call for adoption.
o  Change the "invalid_resource" error to "invalid_target" to align
   with draft-ietf-oauth-token-exchange, which has some overlap in
   functionality.
o  Allow the "resource" parameter value to have a query component
   (aligning with draft-ietf-oauth-token-exchange).
o  Moved the Security Considerations section to before the IANA
   Considerations.
o  Other editorial updates.
o  Rework the Acknowledgements section.
o  Use RFC 8174 boilerplate.



-- Forwarded message -
From: 
Date: Fri, Oct 19, 2018 at 9:39 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-resource-indicators-01.txt
To: 
Cc: 



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : Resource Indicators for OAuth 2.0
Authors : Brian Campbell
  John Bradley
  Hannes Tschofenig
Filename: draft-ietf-oauth-resource-indicators-01.txt
Pages   : 13
Date: 2018-10-19

Abstract:
   An extension to the OAuth 2.0 Authorization Framework defining
   request parameters that enable a client to explicitly signal to an
   authorization server about the location of the protected resource(s)
   to which it is requesting access.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-indicators-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-resource-indicators-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-indicators-01.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : Resource Indicators for OAuth 2.0
Authors : Brian Campbell
  John Bradley
  Hannes Tschofenig
Filename: draft-ietf-oauth-resource-indicators-01.txt
Pages   : 13
Date: 2018-10-19

Abstract:
   An extension to the OAuth 2.0 Authorization Framework defining
   request parameters that enable a client to explicitly signal to an
   authorization server about the location of the protected resource(s)
   to which it is requesting access.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-indicators-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-resource-indicators-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-exchange-16.txt

[Brian Campbell]

Not much to see here: In -16 a typo was fixed and Ben was added as an AD in
the Acknowledgements.

-- Forwarded message -
From: 
Date: Fri, Oct 19, 2018 at 6:32 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-16.txt
To: 
Cc: 



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Token Exchange
Authors : Michael B. Jones
  Anthony Nadalin
  Brian Campbell
  John Bradley
  Chuck Mortimore
Filename: draft-ietf-oauth-token-exchange-16.txt
Pages   : 34
Date: 2018-10-19

Abstract:
   This specification defines a protocol for an HTTP- and JSON- based
   Security Token Service (STS) by defining how to request and obtain
   security tokens from OAuth 2.0 authorization servers, including
   security tokens employing impersonation and delegation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-16


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-16.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Token Exchange
Authors : Michael B. Jones
  Anthony Nadalin
  Brian Campbell
  John Bradley
  Chuck Mortimore
Filename: draft-ietf-oauth-token-exchange-16.txt
Pages   : 34
Date: 2018-10-19

Abstract:
   This specification defines a protocol for an HTTP- and JSON- based
   Security Token Service (STS) by defining how to request and obtain
   security tokens from OAuth 2.0 authorization servers, including
   security tokens employing impersonation and delegation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-16


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-binding-08.txt

[Brian Campbell]

This minor draft revision updates some references and expands the
Acknowledgements a bit.

-08
o  Update reference to -03 of openid-connect-token-bound-
   authentication.
o  Update the references to the core token binding specs, which are
   now RFCs.
o  Update reference to AS metadata, which is now RFC.
o  Add chairs and ADs to the Acknowledgements.


-- Forwarded message -
From: 
Date: Fri, Oct 19, 2018 at 6:12 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-08.txt
To: 
Cc: 



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Token Binding
Authors : Michael B. Jones
  Brian Campbell
  John Bradley
  William Denniss
Filename: draft-ietf-oauth-token-binding-08.txt
Pages   : 30
Date: 2018-10-19

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, Refresh Tokens, JWT
   Authorization Grants, and JWT Client Authentication.  This
   cryptographically binds these tokens to a client's Token Binding key
   pair, possession of which is proven on the TLS connections over which
   the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-08.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

Title   : OAuth 2.0 Token Binding
Authors : Michael B. Jones
  Brian Campbell
  John Bradley
  William Denniss
Filename: draft-ietf-oauth-token-binding-08.txt
Pages   : 30
Date: 2018-10-19

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, Refresh Tokens, JWT
   Authorization Grants, and JWT Client Authentication.  This
   cryptographically binds these tokens to a client's Token Binding key
   pair, possession of which is proven on the TLS connections over which
   the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth