The description of OAuth Mutual TLS in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8..1.2
says the "client is identified towards the resource server by the
fingerprint of its public key" but it's actually a fingerprint/hash of the
certificate not the public key. See
ht
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.3..2
has "Replace implicit flow with postmessage communication or ..." but
without a defined and interoperable way of using postmessage communication
in place of the implicit flow that "proposed countermeasure" seems a
proble
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 mentions or
suggests the use of token binding as an option in a few places. However,
the OAuth 2.0 Token Binding draft expired back in April and is looking
highly unlikely to progress or be updated further. It's also pretty much
undep
There are a few occurrences of [!@RFC...] which presumably come from a typo
in the markdown source for mmark (switching the order of '@' and '!').
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, us
Vectors of Trust was meant to be used in place of things like
AuthenticationContextReference (acr) and its kin, so this is a fair assessment.
It does still require a shared understanding of what a given vector means by
processing it in the context of its trust mark.
— Justin
> On Dec 23, 201
BTW and FWIW the mention of a virtual interim first came up in Singapore in
the context of continuing the discussion around DPoP/PoP.
https://www.youtube.com/watch?v=hVQZR1IvS1E&feature=youtu.be&t=3924
On Mon, Dec 16, 2019 at 11:12 AM Hannes Tschofenig <
hannes.tschofe...@arm.com> wrote:
> Hi a
On Tue, Dec 17, 2019 at 09:12:26PM +, Richard Backman, Annabelle wrote:
> > That's a pretty strong statement :)
>
> One I should’ve clarified. 😃 I don’t mean that the one-RS-per-AT model is not
> used at all, just that it is not universal and comes with real, practical
> tradeoffs that may n
If I got you right you want to see more people reading the draft?
6 non authors had read the draft in Singapore + more people already indicated
their support for WG adoption in this thread.
How many readers does it take to qualify for a call for adoption?
> On 23. Dec 2019, at 16:56, Hannes
During the vacation period few people pay attention to the list. I guess early
2020 would be useful.
If you manage to ping some folks to review the draft that would be great. Too
few raised their hands in Singapore when we asked.
Happy holidays!
From: Torsten Lodderstedt
Sent: Saturday, Decemb
