We did discuss this at the last IETF meeting. While the work is closely related to the PoP work in OAuth it is not the same. It will allow us to do PoP tokens for the implicit flow, something that we haven't touched yet in OAuth because we don't have a workable way to manage keys in the browser. This work should allow us to do that. I think the slide deck examples showing JWT using different mechanisms to express keys from the work done in the OAuth WG may be part of what has some people concerned. I don't think these specs overlap with OAuth, but we do need to be mindful of scope creep. As I stated at the F2F we need to have the two groups work together, so that we can have PoP tokens via the browser. John B. > On Dec 8, 2014, at 6:58 PM, Mike Jones <Michael.Jones@xxxxxxxxxxxxx> wrote: > > It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents: > > http://tools.ietf.org/html/draft-balfanz-https-token-binding > http://tools.ietf.org/html/draft-popov-token-binding > > I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth. (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.) > > Cheers, > -- Mike > > -----Original Message----- > From: Unbearable [mailto:unbearable-bounces@xxxxxxxx] On Behalf Of Derek Atkins > Sent: Saturday, December 06, 2014 11:20 AM > To: ietf@xxxxxxxx > Cc: Andrei Popov; unbearable@xxxxxxxx; Stephen Farrell > Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable > > Hi, > > IETF Secretariat <ietf-secretariat@xxxxxxxx> writes: > >> A new IETF non-working group email list has been created. >> >> List address: unbearable@xxxxxxxx >> Archive: http://www.ietf.org/mail-archive/web/unbearable/ >> To subscribe: https://www.ietf.org/mailman/listinfo/unbearable >> >> Purpose: >> >> This list is for discussion of proposals for doing better than bearer >> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. >> The specific goal is chartering a WG focused on preventing security >> token export and replay attacks. > > > The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens. > > I would suggest that this work happen there instead of creating a whole new group for it. > > -derek > >> For additional information, please contact the list administrators. > > -- > Derek Atkins 617-623-3745 > derek@xxxxxxxxx www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > Unbearable mailing list > Unbearable@xxxxxxxx > https://www.ietf.org/mailman/listinfo/unbearable > > _______________________________________________ > Unbearable mailing list > Unbearable@xxxxxxxx > https://www.ietf.org/mailman/listinfo/unbearable
<<attachment: smime.p7s>>