Holder of key JWT is still in draft and we don't have a clear way to present
the proof to the token endpoint.
Brian and I started discussing that last week as I happen to have a use case
for a PoP JWT assertion flow in some other spec work.
I think that there is enough difference between bearer
On Thu, Oct 16, 2014 at 3:20 PM, Richard Barnes wrote:
> You guys are all arguing that having an Audience can be useful. I don't
> disagree. I disagree that it should be REQUIRED in all cases.
>
> The Google vulnerability that Brian raised was an interesting read, but as
> John points out, it o
That's what you get for duplicating all the text :)
On Thu, Oct 16, 2014 at 2:00 PM, Brian Campbell
wrote:
> Basically the same response to the basically same question as from
> http://www.ietf.org/mail-archive/web/oauth/current/msg13608.html
>
> On Wed, Oct 15, 2014 at 9:56 PM, Richard Barnes
On Thu, Oct 16, 2014 at 1:44 PM, Brian Campbell
wrote:
> Thanks for your review and feedback on this one too, Richard. Replies are
> inline below...
>
> On Wed, Oct 15, 2014 at 10:01 PM, Richard Barnes wrote:
>
>> Richard Barnes has entered the following ballot position for
>> draft-ietf-oauth-j
You guys are all arguing that having an Audience can be useful. I don't
disagree. I disagree that it should be REQUIRED in all cases.
The Google vulnerability that Brian raised was an interesting read, but as
John points out, it only applies to Bearer Assertions. There's no security
requirement
Alright, I'll add RS256 and
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 as mandatory to implement
in the next revision of draft-ietf-oauth-jwt-bearer and
draft-ietf-oauth-saml2-bearer respectively.
Thanks for the pointers, Stephen.
On Thu, Oct 16, 2014 at 3:57 PM, Kathleen Moriarty <
kathle
On Thu, Oct 16, 2014 at 5:39 PM, Brian Campbell
wrote:
> Hiya in return and inline below...
>
> On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell <
> stephen.farr...@cs.tcd.ie> wrote:
>
>>
>> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the
>> JOSE one has only H256 as required.
On 16/10/14 22:39, Brian Campbell wrote:
> Hiya in return and inline below...
>
> On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell
> wrote:
>
>>
>> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the
>> JOSE one has only H256 as required.
>>
>> Doesn't that seem like one is una
Hiya in return and inline below...
On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell
wrote:
>
> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the
> JOSE one has only H256 as required.
>
> Doesn't that seem like one is unacceptably old and the other
> is not great for this purpos
a deployment-related question that I have around this topic:
it seems that authentication using OAuth 2.0 is possible today for
confidential clients using the code flow, with a registered
redirect_uri, not consuming/storing/using refresh_tokens, and assuming
that there's an API that returns us
On Thu, Oct 16, 2014 at 2:54 PM, Stephen Farrell
wrote:
>
> > Some stuff needs to be exchanged out-of-band for this to work.
> > Entity/issuer/audience identifiers are part of that. This need is
> discussed
> > in the Interoperability Considerations at
> > https://tools.ietf.org/html/draft-ietf-o
Basically the same response to the basically same question as from
http://www.ietf.org/mail-archive/web/oauth/current/msg13608.html
On Wed, Oct 15, 2014 at 9:56 PM, Richard Barnes wrote:
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-saml2-bearer-21: Discuss
>
Hiya,
On 16/10/14 21:06, Brian Campbell wrote:
> Thanks for your review and feedback on this one too, Stephen. Replies are
> inline below...
>
> On Thu, Oct 16, 2014 at 5:22 AM, Stephen Farrell
> wrote:
>
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-oauth-asse
Hiya,
Mostly fine just a couple of notes.
On 16/10/14 20:28, Brian Campbell wrote:
> Thanks for your review and feedback, Stephen. Replies are inline below...
>
> On Thu, Oct 16, 2014 at 5:20 AM, Stephen Farrell
> wrote:
>
>> Stephen Farrell has entered the following ballot position for
>> dr
Thanks for your review and feedback on this one too, Richard. Replies are
inline below...
On Wed, Oct 15, 2014 at 10:01 PM, Richard Barnes wrote:
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-jwt-bearer-10: Discuss
>
> When responding, please keep the subject
Thanks for your review and feedback on this one too, Stephen. Replies are
inline below...
On Thu, Oct 16, 2014 at 5:22 AM, Stephen Farrell
wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-oauth-assertions-17: Discuss
>
> When responding, please keep the subject
Those interested in helping edit the text directly can follow along on this
GitHub fork:
https://github.com/jricher/oauth.net/tree/authentication
Once a reasonable number of eyes have seen that page, we'll get it published
onto oauth.net. Aaron Parecki has offered to add a "Draft" banner to the
Thanks for your review and feedback, Stephen. Replies are inline below...
On Thu, Oct 16, 2014 at 5:20 AM, Stephen Farrell
wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-oauth-saml2-bearer-21: No Objection
>
> When responding, please keep the subject line int
Ah fair enough, forgot that.
S.
On 16/10/14 14:10, Brian Campbell wrote:
> A JWT, by it's very definition, is a set of base64url pieces concatenated
> together with dot "." characters (which is also URL safe). So no additional
> encoding or serialization of the JWT is needed.
>
> On Thu, Oct 16
Same here
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, October 16, 2014 10:17 AM
To: Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
For what it's worth, I was on th
Ah yes, good catch! If only someone would put up a webpage describing the
difference between authorization and authentication and why people need to stop
confusing the two.
Oh wait...
On Oct 16, 2014, at 1:06 PM, Hans Zandbelt wrote:
> About the write-up: at the end of the metaphor section i
For what it's worth, I was on the call too - until I and Brian left to join the
telechat for the OAuth assertions drafts.
-- Mike
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, October 16, 2014
About the write-up: at the end of the metaphor section it says:
"These recipes each add a number of items, such as a common profile API,
to OAuth to create an authorization protocol."
whereas I believe that should read "to create an authentication protocol"
Hans.
On 10/16/14, 6:54 PM, Hannes
On 10/16/14 7:56 AM, Brian Campbell wrote:
Thanks for your review and feedback on this one too, Pete. Replies are
inline below...
On Tue, Oct 14, 2014 at 7:56 PM, Pete Resnick
mailto:presn...@qti.qualcomm.com>> wrote:
2.1/2.2 - This paragraph shows why I don't like haphazard use of 2119.
It is also important for a non-protocol purpose. Liability.
If a 3rd party uses an assertion that was not intended for it, it cannot
obviously hold the asserting party responsible.
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On Oct 16, 2014, at 8:43 AM, Brian Campbell w
Having an audience is an important part of keeping the assertions from being
reused inappropriately.
I think the difference between this and PKIX is that a certificate references a
private key so is in a sense only usable by the holder of that key.
If we were talking about holder of key /Proof
Thanks for your review, Benoit. Replies are inline below...
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Benoit Claise
> Sent: Thursday, October 16, 2014 5:34 AM
> To: The IESG
> Cc: oauth-cha...@tools.ietf.org; draft-ietf-oauth-saml2-bea...@tools.ietf.o
Thanks for your review and feedback, Richard. Replies are inline below...
On Wed, Oct 15, 2014 at 9:47 PM, Richard Barnes wrote:
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-assertions-17: Discuss
>
> When responding, please keep the subject line intact and r
On Thu, Oct 16, 2014 at 8:29 AM, Mike Jones
wrote:
> Thanks for your review, Richard. I'm replying to your DISCUSS about the
> audience being required below...
>
> -- Mike
>
> > -Original Message-
> > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf O
Thanks for your review, Richard. I'm replying to your DISCUSS about the
audience being required below...
-- Mike
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Richard Barnes
> Sent: Wednesday, October 15, 2014 8:48 PM
> T
I realized that I'd accidentally replied only to Ted in this thread (email
is hard!). So I wanted to send our discussion to the original cc list so
it'd be more on the record and also because I believe this discussion is
related to, and may help inform, some other comments that came in this
morning
Ted Lemon has entered the following ballot position for
draft-ietf-oauth-assertions-17: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to htt
Thanks, Benoit. I'll double check this before the draft progresses.
Thanks,
Kathleen
Sent from my iPhone
> On Oct 16, 2014, at 8:33 AM, "Benoit Claise" wrote:
>
> Benoit Claise has entered the following ballot position for
> draft-ietf-oauth-saml2-bearer-21: No Objection
>
> When responding,
A JWT, by it's very definition, is a set of base64url pieces concatenated
together with dot "." characters (which is also URL safe). So no additional
encoding or serialization of the JWT is needed.
On Thu, Oct 16, 2014 at 5:22 AM, Stephen Farrell
wrote:
> Stephen Farrell has entered the followin
Ted Lemon has entered the following ballot position for
draft-ietf-oauth-assertions-17: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to http://w
Likewise, I will not repeat stuff here but will apply appropriate changes
from your comments on draft-ietf-oauth-saml2-bearer as they apply here to
draft-ietf-oauth-jwt-bearer.
On Tue, Oct 14, 2014 at 8:05 PM, Pete Resnick
wrote:
> Pete Resnick has entered the following ballot position for
> dra
Thanks for your review and feedback on this one too, Pete. Replies are
inline below...
On Tue, Oct 14, 2014 at 7:56 PM, Pete Resnick
wrote:
> Pete Resnick has entered the following ballot position for
> draft-ietf-oauth-saml2-bearer-21: No Objection
>
> When responding, please keep the subject l
Benoit Claise has entered the following ballot position for
draft-ietf-oauth-saml2-bearer-21: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer
ghostcharme...@gmail.com
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
ghostcharme...@gmail.com
On Oct 16, 2014 4:21 AM, wrote:
> Send OAuth mailing list submissions to
> oauth@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.ietf.org/mailman/listinfo/oauth
> or, via email, send a message with subject or body 'help
Stephen Farrell has entered the following ballot position for
draft-ietf-oauth-jwt-bearer-10: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer
Stephen Farrell has entered the following ballot position for
draft-ietf-oauth-assertions-17: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to ht
Stephen Farrell has entered the following ballot position for
draft-ietf-oauth-saml2-bearer-21: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refe
43 matches
Mail list logo
