Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-25 Thread Sergey Beryozkin
Hi Hannes On 25/04/14 10:44, Hannes Tschofenig wrote: Hi Sergey, On 04/25/2014 11:38 AM, Sergey Beryozkin wrote: Hopefully PoP model will not be made exclusive for JWT only, it won't be very OAuth2 friendly IMHO... Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I just u

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-25 Thread Hannes Tschofenig
Hi Sergey, On 04/25/2014 11:38 AM, Sergey Beryozkin wrote: > Hopefully PoP model will not be made exclusive for JWT only, it won't be > very OAuth2 friendly IMHO... Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I just uses a JSON-based encoding of the parameters. I put a s

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-25 Thread Sergey Beryozkin
On 25/04/14 10:23, Hannes Tschofenig wrote: Good question. The architecture allows different mechanisms to be used for proof-of-possession between the client and the resource server. With the publication of draft-richer-oauth-signed-http-request-01 we have a version that uses a JOSE-based encodin

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-25 Thread Hannes Tschofenig
Good question. The architecture allows different mechanisms to be used for proof-of-possession between the client and the resource server. With the publication of draft-richer-oauth-signed-http-request-01 we have a version that uses a JOSE-based encoding. I have not had time to illustrate how the M

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-25 Thread Sergey Beryozkin
Hi Hannes Is the MAC token effort you were leading still on the map ? Thanks, Sergey On 24/04/14 20:42, Hannes Tschofenig wrote: Btw, the HTTP signature mechanism now also got published as http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 I think we now have a pretty good c

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-24 Thread Hannes Tschofenig
Btw, the HTTP signature mechanism now also got published as http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 I think we now have a pretty good collection of documents to look at. Ciao Hannes On 04/24/2014 06:40 PM, Hannes Tschofenig wrote: > Hi Lewis, > > good that you ask.

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-24 Thread Hannes Tschofenig
Hi Lewis, good that you ask. In the London IETF meeting we have proposed a plan on how to proceed with the proof-of-possession (PoP) work. John had already explained that the main document is draft-hunt-oauth-pop-architecture-00. It pains the big picture and points to the relevant documents, in

Re: [OAUTH-WG] HOTK/POP/etc drafts

2014-04-24 Thread John Bradley
The overview document is draft-hunt-oauth-pop-architecture-00 For the client requesting POP tokens and key draft-bradley-oauth-pop-key-distribution For how to include the proof key info in a JWT (more generic than just access tokens) draft-jones-oauth-proof-of-possession The draft-sakimura-oau

[OAUTH-WG] HOTK/POP/etc drafts

2014-04-24 Thread Lewis Adam-CAL022
Hi, Lots of crypto drafts on OAuth popping up that I need to come up to speed on. draft-bradley-oauth-pop-key-distribution-00 draft-hunt-oauth-pop-architecture-00