Agreed that token signing is separate from message signing as a proposition. I
just happened to stick all of our "signing" conversations into one bucket of
notes... Sorry that was confusing.
Eve
On 12 Mar 2010, at 11:06 AM, Brian Eaton wrote:
> On Fri, Mar 12, 2010 at 10:22 AM, Eve M
Yes, the third-party-based non-repudiation with symmetric cryptography
is a complex thing. The way I would apply it to the Client request is
as follows:
1) The Client sends the token request, R, to the Third Party (and, you
are right, the Third Party must know who the client is, and so one
Hi Igor
Thanks for explanation. Unfortunately I am more confused. How does the third
party know who the Client is?
I don't understand how an Access Token plus a signing secret gives any more
assurance than an Access Token unless I get the Access Token from a different
place than the signing s
Dick,
The trick here is THE THIRD PARTY (referred to in the last words of
Eve's message), who is effectively a witness to the transaction. (This
works pretty much like when you want to switch your telephone provider.
You would be transferred to the third party to confirm your request.)
Absent
On Fri, Mar 12, 2010 at 10:22 AM, Eve Maler wrote:
> It was observed that the argument in the OAuth community about token size
> seems to be related to token signing, thusly: those who are willing to
> require the Authorization Server to be stateless need large meaningful
> tokens and want them si
On 2010-03-12, at 10:22 AM, Eve Maler wrote:
> This nets out to the requesting party (person or company seeking access)
> having an incentive to say "It's really me accessing this", such that it
> mitigates the risk that the requester (client) will hand off both the access
> token and the sign
In the recent thread here:
http://www.ietf.org/mail-archive/web/oauth/current/msg01234.html
Subject: "Recent UMA work that may inform this group's deliberations"
...Dick and I had a bit of discussion around UMA's proposal for a back-channel
method of token validation that a Protected Resource co
Here is some late input to this thread. The UMA group had a F2F meeting on
Wednesday, for which draft minutes are written up here:
http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2010-03-10
I had taken an action from the last OAuth telecon to collect UMA use cases that
related