| < draft-tschofenig-oauth-hotk-01.txt | draft-tschofenig-oauth-hotk-02.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Bradley | Network Working Group J. Bradley | |||
| Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
| Intended status: Standards Track P. Hunt | Intended status: Standards Track P. Hunt | |||
| Expires: January 17, 2013 Oracle Corporation | Expires: August 29, 2013 Oracle Corporation | |||
| T. Nadalin | T. Nadalin | |||
| Microsoft | Microsoft | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| July 16, 2012 | February 25, 2013 | |||
| The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage | The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage | |||
| draft-tschofenig-oauth-hotk-01.txt | draft-tschofenig-oauth-hotk-02.txt | |||
| Abstract | Abstract | |||
| OAuth 2.0 deployments currently rely on bearer tokens for securing | OAuth 2.0 deployments currently rely on bearer tokens for securing | |||
| access to protected resources. Bearer tokens require Transport Layer | access to protected resources. Bearer tokens require Transport Layer | |||
| Security to be used between an OAuth client and the resource server | Security to be used between an OAuth client and the resource server | |||
| when presenting the access token. The security model is based on | when presenting the access token. The security model is based on | |||
| proof-of-possession: access token storage and transfer has to be done | proof-of-possession: access token storage and transfer has to be done | |||
| with care to prevent leakage. | with care to prevent leakage. | |||
| skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 17, 2013. | This Internet-Draft will expire on August 29, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 20, line 9 ¶ | skipping to change at page 20, line 9 ¶ | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The author would like to thank the OAuth working group and | The author would like to thank the OAuth working group and | |||
| participants of the Internet Identity Workshop for their discussion | participants of the Internet Identity Workshop for their discussion | |||
| input that lead to this document. | input that lead to this document. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [1] Hardt, D. and D. Recordon, "The OAuth 2.0 Authorization | [1] Hardt, D., "The OAuth 2.0 Authorization Framework", | |||
| Framework", draft-ietf-oauth-v2-30 (work in progress), | draft-ietf-oauth-v2-31 (work in progress), August 2012. | |||
| July 2012. | ||||
| [2] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [2] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", draft-ietf-oauth-json-web-token-01 (work in progress), | (JWT)", draft-ietf-oauth-json-web-token-06 (work in progress), | |||
| July 2012. | December 2012. | |||
| [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
| [4] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., | [4] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., | |||
| Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- | Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- | |||
| HTTP/1.1", RFC 2616, June 1999. | HTTP/1.1", RFC 2616, June 1999. | |||
| [5] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature | [5] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature | |||
| (JWS)", draft-ietf-jose-json-web-signature-03 (work in | (JWS)", draft-ietf-jose-json-web-signature-08 (work in | |||
| progress), July 2012. | progress), December 2012. | |||
| [6] Hammer-Lahav, E., "HTTP Authentication: MAC Access | [6] Richer, J., Mills, W., and H. Tschofenig, "OAuth 2.0 Message | |||
| Authentication", draft-ietf-oauth-v2-http-mac-01 (work in | Authentication Code (MAC) Tokens", | |||
| progress), February 2012. | draft-ietf-oauth-v2-http-mac-02 (work in progress), | |||
| November 2012. | ||||
| [7] Wouters, P., Gilmore, J., Weiler, S., Kivinen, T., and H. | [7] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and T. | |||
| Tschofenig, "TLS Out-of-Band Public Key Validation", | Kivinen, "Out-of-Band Public Key Validation for Transport Layer | |||
| draft-ietf-tls-oob-pubkey-03 (work in progress), April 2012. | Security (TLS)", draft-ietf-tls-oob-pubkey-07 (work in | |||
| progress), February 2013. | ||||
| [8] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | [8] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | |||
| Protocol Version 1.2", RFC 5246, August 2008. | Protocol Version 1.2", RFC 5246, August 2008. | |||
| [9] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, | [9] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, | |||
| R., and W. Polk, "Internet X.509 Public Key Infrastructure | R., and W. Polk, "Internet X.509 Public Key Infrastructure | |||
| Certificate and Certificate Revocation List (CRL) Profile", | Certificate and Certificate Revocation List (CRL) Profile", | |||
| RFC 5280, May 2008. | RFC 5280, May 2008. | |||
| [10] Jones, M., "JSON Web Key (JWK)", | [10] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key-03 (work in progress), July 2012. | draft-ietf-jose-json-web-key-08 (work in progress), | |||
| December 2012. | ||||
| 7.2. Informative References | 7.2. Informative References | |||
| [11] Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 | [11] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: | |||
| Authorization Framework: Bearer Token Usage", | Bearer Token Usage", draft-ietf-oauth-v2-bearer-23 (work in | |||
| draft-ietf-oauth-v2-bearer-22 (work in progress), July 2012. | progress), August 2012. | |||
| [12] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | [12] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | |||
| "Assertion Framework for OAuth 2.0", | "Assertion Framework for OAuth 2.0", | |||
| draft-ietf-oauth-assertions-04 (work in progress), July 2012. | draft-ietf-oauth-assertions-10 (work in progress), | |||
| January 2013. | ||||
| [13] Burr, W., Dodson, D., Perlner, R., Polk, T., Gupta, S., and E. | [13] Burr, W., Dodson, D., Perlner, R., Polk, T., Gupta, S., and E. | |||
| Nabbus, "NIST Special Publication 800-63-1, INFORMATION | Nabbus, "NIST Special Publication 800-63-1, INFORMATION | |||
| SECURITY", December 2008. | SECURITY", December 2008. | |||
| [14] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | [14] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | |||
| April 2010. | April 2010. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 13 change blocks. | ||||
| 23 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||