It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents: http://tools.ietf.org/html/draft-balfanz-https-token-binding http://tools.ietf.org/html/draft-popov-token-binding I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth. (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.) Cheers, -- Mike -----Original Message----- From: Unbearable [mailto:unbearable-bounces@xxxxxxxx] On Behalf Of Derek Atkins Sent: Saturday, December 06, 2014 11:20 AM To: ietf@xxxxxxxx Cc: Andrei Popov; unbearable@xxxxxxxx; Stephen Farrell Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable Hi, IETF Secretariat <ietf-secretariat@xxxxxxxx> writes: > A new IETF non-working group email list has been created. > > List address: unbearable@xxxxxxxx > Archive: http://www.ietf.org/mail-archive/web/unbearable/ > To subscribe: https://www.ietf.org/mailman/listinfo/unbearable > > Purpose: > > This list is for discussion of proposals for doing better than bearer > tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. > The specific goal is chartering a WG focused on preventing security > token export and replay attacks. The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens. I would suggest that this work happen there instead of creating a whole new group for it. -derek > For additional information, please contact the list administrators. -- Derek Atkins 617-623-3745 derek@xxxxxxxxx www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ Unbearable mailing list Unbearable@xxxxxxxx https://www.ietf.org/mailman/listinfo/unbearable