| draft-ietf-oauth-pop-architecture-07.txt | draft-ietf-oauth-pop-architecture-08.txt | |||
|---|---|---|---|---|
| OAuth P. Hunt, Ed. | OAuth P. Hunt, Ed. | |||
| Internet-Draft Oracle Corporation | Internet-Draft Oracle Corporation | |||
| Intended status: Informational J. Richer | Intended status: Informational J. Richer | |||
| Expires: June 3, 2016 | Expires: January 9, 2017 | |||
| W. Mills | W. Mills | |||
| P. Mishra | P. Mishra | |||
| Oracle Corporation | Oracle Corporation | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Limited | ARM Limited | |||
| December 1, 2015 | July 8, 2016 | |||
| OAuth 2.0 Proof-of-Possession (PoP) Security Architecture | OAuth 2.0 Proof-of-Possession (PoP) Security Architecture | |||
| draft-ietf-oauth-pop-architecture-07.txt | draft-ietf-oauth-pop-architecture-08.txt | |||
| Abstract | Abstract | |||
| The OAuth 2.0 bearer token specification, as defined in RFC 6750, | The OAuth 2.0 bearer token specification, as defined in RFC 6750, | |||
| allows any party in possession of a bearer token (a "bearer") to get | allows any party in possession of a bearer token (a "bearer") to get | |||
| access to the associated resources (without demonstrating possession | access to the associated resources (without demonstrating possession | |||
| of a cryptographic key). To prevent misuse, bearer tokens must be | of a cryptographic key). To prevent misuse, bearer tokens must be | |||
| protected from disclosure in transit and at rest. | protected from disclosure in transit and at rest. | |||
| Some scenarios demand additional security protection whereby a client | Some scenarios demand additional security protection whereby a client | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 3, 2016. | This Internet-Draft will expire on January 9, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 20, line 26 ¶ | skipping to change at page 20, line 26 ¶ | |||
| [I-D.ietf-oauth-pop-key-distribution] | [I-D.ietf-oauth-pop-key-distribution] | |||
| Bradley, J., Hunt, P., Jones, M., and H. Tschofenig, | Bradley, J., Hunt, P., Jones, M., and H. Tschofenig, | |||
| "OAuth 2.0 Proof-of-Possession: Authorization Server to | "OAuth 2.0 Proof-of-Possession: Authorization Server to | |||
| Client Key Distribution", draft-ietf-oauth-pop-key- | Client Key Distribution", draft-ietf-oauth-pop-key- | |||
| distribution-02 (work in progress), October 2015. | distribution-02 (work in progress), October 2015. | |||
| [I-D.ietf-oauth-proof-of-possession] | [I-D.ietf-oauth-proof-of-possession] | |||
| Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | |||
| Possession Key Semantics for JSON Web Tokens (JWTs)", | Possession Key Semantics for JSON Web Tokens (JWTs)", | |||
| draft-ietf-oauth-proof-of-possession-08 (work in | draft-ietf-oauth-proof-of-possession-11 (work in | |||
| progress), November 2015. | progress), December 2015. | |||
| [I-D.ietf-oauth-signed-http-request] | [I-D.ietf-oauth-signed-http-request] | |||
| Richer, J., Bradley, J., and H. Tschofenig, "A Method for | Richer, J., Bradley, J., and H. Tschofenig, "A Method for | |||
| Signing an HTTP Requests for OAuth", draft-ietf-oauth- | Signing HTTP Requests for OAuth", draft-ietf-oauth-signed- | |||
| signed-http-request-01 (work in progress), March 2015. | http-request-02 (work in progress), February 2016. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | |||
| DOI 10.17487/RFC2119, March 1997, | RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ | |||
| DOI 10.17487/RFC5246, August 2008, | RFC5246, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5246>. | <http://www.rfc-editor.org/info/rfc5246>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6749>. | <http://www.rfc-editor.org/info/rfc6749>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7519>. | <http://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
| "Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | |||
| 2015, <http://www.rfc-editor.org/info/rfc7525>. | 2015, <http://www.rfc-editor.org/info/rfc7525>. | |||
| [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", | [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", RFC | |||
| RFC 7662, DOI 10.17487/RFC7662, October 2015, | 7662, DOI 10.17487/RFC7662, October 2015, | |||
| <http://www.rfc-editor.org/info/rfc7662>. | <http://www.rfc-editor.org/info/rfc7662>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [I-D.hardjono-oauth-kerberos] | [I-D.hardjono-oauth-kerberos] | |||
| Hardjono, T., "OAuth 2.0 support for the Kerberos V5 | Hardjono, T., "OAuth 2.0 support for the Kerberos V5 | |||
| Authentication Protocol", draft-hardjono-oauth-kerberos-01 | Authentication Protocol", draft-hardjono-oauth-kerberos-01 | |||
| (work in progress), December 2010. | (work in progress), December 2010. | |||
| [NIST800-63] | [NIST800-63] | |||
| Burr, W., Dodson, D., Perlner, R., Polk, T., Gupta, S., | Burr, W., Dodson, D., Perlner, R., Polk, T., Gupta, S., | |||
| and E. Nabbus, "NIST Special Publication 800-63-1, | and E. Nabbus, "NIST Special Publication 800-63-1, | |||
| INFORMATION SECURITY", December 2008. | INFORMATION SECURITY", December 2008. | |||
| [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | |||
| Kerberos Network Authentication Service (V5)", RFC 4120, | Kerberos Network Authentication Service (V5)", RFC 4120, | |||
| DOI 10.17487/RFC4120, July 2005, | DOI 10.17487/RFC4120, July 2005, | |||
| <http://www.rfc-editor.org/info/rfc4120>. | <http://www.rfc-editor.org/info/rfc4120>. | |||
| [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||
| Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", RFC | |||
| RFC 4279, DOI 10.17487/RFC4279, December 2005, | 4279, DOI 10.17487/RFC4279, December 2005, | |||
| <http://www.rfc-editor.org/info/rfc4279>. | <http://www.rfc-editor.org/info/rfc4279>. | |||
| [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security", RFC 4347, DOI 10.17487/RFC4347, April 2006, | Security", RFC 4347, DOI 10.17487/RFC4347, April 2006, | |||
| <http://www.rfc-editor.org/info/rfc4347>. | <http://www.rfc-editor.org/info/rfc4347>. | |||
| [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, | [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, | |||
| Authorization, and Accounting (AAA) Key Management", | Authorization, and Accounting (AAA) Key Management", BCP | |||
| BCP 132, RFC 4962, DOI 10.17487/RFC4962, July 2007, | 132, RFC 4962, DOI 10.17487/RFC4962, July 2007, | |||
| <http://www.rfc-editor.org/info/rfc4962>. | <http://www.rfc-editor.org/info/rfc4962>. | |||
| [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | |||
| <http://www.rfc-editor.org/info/rfc5056>. | <http://www.rfc-editor.org/info/rfc5056>. | |||
| [RFC5849] Hammer-Lahav, E., Ed., "The OAuth 1.0 Protocol", RFC 5849, | [RFC5849] Hammer-Lahav, E., Ed., "The OAuth 1.0 Protocol", RFC 5849, | |||
| DOI 10.17487/RFC5849, April 2010, | DOI 10.17487/RFC5849, April 2010, | |||
| <http://www.rfc-editor.org/info/rfc5849>. | <http://www.rfc-editor.org/info/rfc5849>. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March | Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March | |||
| 2011, <http://www.rfc-editor.org/info/rfc6125>. | 2011, <http://www.rfc-editor.org/info/rfc6125>. | |||
| [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | |||
| Framework: Bearer Token Usage", RFC 6750, | Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/ | |||
| DOI 10.17487/RFC6750, October 2012, | RFC6750, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6750>. | <http://www.rfc-editor.org/info/rfc6750>. | |||
| [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 | [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 | |||
| Threat Model and Security Considerations", RFC 6819, | Threat Model and Security Considerations", RFC 6819, DOI | |||
| DOI 10.17487/RFC6819, January 2013, | 10.17487/RFC6819, January 2013, | |||
| <http://www.rfc-editor.org/info/rfc6819>. | <http://www.rfc-editor.org/info/rfc6819>. | |||
| [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | |||
| Application Protocol (CoAP)", RFC 7252, | Application Protocol (CoAP)", RFC 7252, DOI 10.17487/ | |||
| DOI 10.17487/RFC7252, June 2014, | RFC7252, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7252>. | <http://www.rfc-editor.org/info/rfc7252>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Phil Hunt (editor) | Phil Hunt (editor) | |||
| Oracle Corporation | Oracle Corporation | |||
| Email: phil.hunt@yahoo.com | Email: phil.hunt@yahoo.com | |||
| Justin Richer | Justin Richer | |||
| End of changes. 15 change blocks. | ||||
| 25 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||