[OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec for IESG telechat

Proof-of-Possession Key Semantics for JWTs draft -10 was published for consideration on the IESG telechat later today. All changes were editorial and addressed ballot comments by Barry Leiba. The

Re: [OAUTH-WG] [Errata Held for Document Update] RFC6819 (4267)

Hi all, the report is correct. Please consider it an errata to RFC 6819. kind regards, Torsten. Am 08.12.2015 16:05, schrieb RFC Errata System: The following errata report has been held for document update for RFC6819, "OAuth 2.0 Threat Model and Security Considerations".

Re: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-proof-of-possession-10: (with COMMENT)

Thanks for your review, Stephen. Replies inline below... > -Original Message- > From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] > Sent: Thursday, December 17, 2015 12:45 PM > To: The IESG > Cc: draft-ietf-oauth-proof-of-possess...@ietf.org; oauth-cha...@ietf.org;

Re: [OAUTH-WG] [Errata Held for Document Update] RFC6819 (4267)

+1 Phil > On Dec 17, 2015, at 15:00, tors...@lodderstedt.net wrote: > > Hi all, > > the report is correct. Please consider it an errata to RFC 6819. > > kind regards, > Torsten. > > Am 08.12.2015 16:05, schrieb RFC Errata System: >> The following errata report has been held for document

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec for IESG telechat

Hi Mike, Thanks for getting these comments addressed prior to the call today! Barry, thanks for your detailed review! Kathleen On Thu, Dec 17, 2015 at 5:24 AM, Mike Jones wrote: > Proof-of-Possession Key Semantics for JWTs draft -10 was published for >

[OAUTH-WG] OAuth Recharting

Hi all, at the last IETF meeting in Yokohama we had a rechartering discussion and below is proposed text for the new charter. Please take a look at it and tell me whether it appropriately covers the discussions from our last meeting. --- Charter Text The Web Authorization (OAuth)

Re: [OAUTH-WG] implementations of draft-ietf-oauth-proof-of-possession

Samuel and I had been working on a prototype implementation of the PoP tokens for an IoT scenario, which we showed at ARM TechCon. It used the JWT (instead of the CBOR-encoded version of the JWT since we had JOSE code available). Our version used symmetric key cryptography. Roland Hedberg also

Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us

Fair questions Rifaat, Typically a token exchange is done to exchange a temporary credential (the token the client sends in) for a different temporary credential (the issued token) that can be used in some other context. A refresh token would be an additional credential issued and one that

Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us

Hi Brian, Thanks for your response. Yes, that clarifies it for me. It would be great if you can add some text around these two issues to the next version of the document. Regards, Rifaat On Thu, Dec 17, 2015 at 10:24 AM, Brian Campbell wrote: > Fair questions

[OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-proof-of-possession-10: (with COMMENT)

Stephen Farrell has entered the following ballot position for draft-ietf-oauth-proof-of-possession-10: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)

Re: [OAUTH-WG] OAuth Recharting

Hi Hannes, Thanks for putting this together. >and specifications that mitigate security attacks, such as Proof Key for >Code Exchange. I propose to change it to: and specifications that mitigate security attacks, such as Proof Key for Code Exchange, and Sender Constraint JSON Web Token.