[Openid-specs-ab] AB/Connect WG Note (2015-10-19)

Justin Richer jricher at mit.edu
Wed Oct 21 18:07:25 UTC 2015


This is a means of providing message integrity on top of other systems like TLS.  You’re right that most systems won’t need it, in which case they just sign a nonce and send it over to get HoK characteristics. But I think we can have the same core mechanism used to also sign the HTTP request (or parts of it) if you want to. That’s the basic idea of re-using the JWT compact form with hashes generated from the HTTP request, we can combine a lot of stuff into a single mechanism. The issues brian points out are all very real and they need to be fixed before it’s really viable. I haven’t had time or motivation to push it forward yet, but I might have a chance to do that in the next couple months.

 — Justin

> On Oct 21, 2015, at 11:28 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> 
> One of the question I would have is whether we need the integrity protection in this layer or just do the client authentication. As it is happening over TLS, just the client auth may be sufficient for many purposes. 
> 
> 2015-10-21 3:29 GMT+09:00 Brian Campbell <bcampbell at pingidentity.com <mailto:bcampbell at pingidentity.com>>:
> 
> Yeah, that would be the one that maps to it but there are issues with it that need to be sorted out: http://www.ietf.org/mail-archive/web/oauth/current/msg14801.html <http://www.ietf.org/mail-archive/web/oauth/current/msg14801.html>
> 
> 
> On Mon, Oct 19, 2015 at 6:17 PM, Nat Sakimura <sakimura at gmail.com <mailto:sakimura at gmail.com>> wrote:
> 
> 
> - Nat asked which draft was the HoK version of RFC6750. 
>   https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request <https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request> 
>   seems to be the one that maps to it. 
>   
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/ <http://nat.sakimura.org/>
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151021/9160ce4e/attachment.html>


More information about the Openid-specs-ab mailing list