A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage Author(s) : Hannes Tschofenig Filename : draft-tschofenig-oauth-hotk-00.txt Pages : 15 Date : 2012-07-09 Abstract: OAuth 2.0 deployments currently rely on bearer tokens for securing access to protected resources. Bearer tokens require Transport Layer Security to be used between an OAuth client and the resource server when presenting the access token in order to get access. The security model is based on proof-of-possession of the access token: access token storage and transfer has to be done with care to prevent leakage. There are, however, use cases that require a more active involvement of the OAuth client to offer increased security, particularly against token leakage. This document specifies an OAuth security framework using ephemeral asymmetric credentials that are bound to the access token. A client can create these key pairs dynamically and use them, after they are bound to an access token by the authorization server, in communication interactions with resource servers. This document is discussed at https://www.ietf.org/mailman/listinfo/oauth. This initial version of the specification shall serve as a discussion starter. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk There's also a htmlized version available at: http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt