Discussion:
[OAUTH-WG] Token Binding Presentations?
Jim Manico
2017-03-17 15:09:51 UTC
Permalink
Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there any presentations or other media on token binding that any of you are aware of? My google-fu is coming up empty.

Thanks and Aloha,
- Jim
John Bradley
2017-03-17 17:42:59 UTC
Permalink
This has some of the basic info, but needs some updating. http://www.browserauth.net/ <http://www.browserauth.net/>

Other than that there are the specs in the Token binding WG and the one we just updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would hope to see some developer documentation from them soon.

John B.
Post by Jim Manico
Hello OAuthers,
I'm trying to get my head around token binding beyond the RFC. Are there any presentations or other media on token binding that any of you are aware of? My google-fu is coming up empty.
Thanks and Aloha,
- Jim
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Anthony Nadalin
2017-03-17 17:59:01 UTC
Permalink
I'm unaware of any support for "OAuth" Token Binding from Microsoft, so I assume you are talking just about Token Binding cookies

From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of John Bradley
Sent: Friday, March 17, 2017 10:43 AM
To: Jim Manico <***@manicode.com>
Cc: IETF OAUTH <***@ietf.org>
Subject: Re: [OAUTH-WG] Token Binding Presentations?

This has some of the basic info, but needs some updating. http://www.browserauth.net/

Other than that there are the specs in the Token binding WG and the one we just updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would hope to see some developer documentation from them soon.

John B.

On Mar 17, 2017, at 12:09 PM, Jim Manico <***@manicode.com<mailto:***@manicode.com>> wrote:

Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there any presentations or other media on token binding that any of you are aware of? My google-fu is coming up empty.

Thanks and Aloha,
- Jim
John Bradley
2017-03-17 18:09:36 UTC
Permalink
Yes I was referring to support for token binding at the TLS level in Edge & IE and perhaps other HTTP API support. for token binding negotiation on TLS connections.

Not support for things built on top of token binding.

IIS being updated to token bind cookies is another matter that I haven't seen any timing on.

Chrome on most if not all platforms and Edge on RS2 i believe should all support servers token binding cookies in the 3 to 6 month timeframe to be conservative.

I know Google has already turned on token binding negotiation for some web parts of Google.

John B.
I’m unaware of any support for “OAuth” Token Binding from Microsoft, so I assume you are talking just about Token Binding cookies
  <>
Sent: Friday, March 17, 2017 10:43 AM
Subject: Re: [OAUTH-WG] Token Binding Presentations?
This has some of the basic info, but needs some updating. http://www.browserauth.net/ <http://www.browserauth.net/>
Other than that there are the specs in the Token binding WG and the one we just updated for OAuth.
With Microsoft supporting it in RS2 coming out in a month or so I would hope to see some developer documentation from them soon.
John B.
Hello OAuthers,
I'm trying to get my head around token binding beyond the RFC. Are there any presentations or other media on token binding that any of you are aware of? My google-fu is coming up empty.
Thanks and Aloha,
- Jim
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Brian Campbell
2017-03-17 18:10:58 UTC
Permalink
Dirk gave this preso nearly 2 years ago https://www.slideshare.net/
CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015 which is
out of date but has the main concepts, I think. There's also this
http://www.browserauth.net/token-binding page by him.

I'm planing on a doing a presentation on Token Binding at CIS
<https://www.cloudidentitysummit.com> this summer. But that's not until
June and none of the content exists yet.

Otherwise the draft specs are probably the best bet at this point. And they
are all still in draft, though some are more stable than others, they may
still change.

Token Binding:
https://tools.ietf.org/html/draft-ietf-tokbind-https-08
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07

Application in OAuth:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02

Application in OpenID Connect:
http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
Post by Jim Manico
Hello OAuthers,
I'm trying to get my head around token binding beyond the RFC. Are there
any presentations or other media on token binding that any of you are aware
of? My google-fu is coming up empty.
Thanks and Aloha,
- Jim
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Jim Manico
2017-03-17 18:14:29 UTC
Permalink
Brian (and John),

Thank you both for the references. Perfect.

Aloha, Jim
Post by Brian Campbell
Dirk gave this preso nearly 2 years ago
https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015
<https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015>
which is out of date but has the main concepts, I think. There's also
this http://www.browserauth.net/token-binding
<http://www.browserauth.net/token-binding> page by him.
I'm planing on a doing a presentation on Token Binding at CIS
<https://www.cloudidentitysummit.com> this summer. But that's not
until June and none of the content exists yet.
Otherwise the draft specs are probably the best bet at this point. And
they are all still in draft, though some are more stable than others,
they may still change.
https://tools.ietf.org/html/draft-ietf-tokbind-https-08
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02
http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
Hello OAuthers,
I'm trying to get my head around token binding beyond the RFC. Are
there any presentations or other media on token binding that any
of you are aware of? My google-fu is coming up empty.
Thanks and Aloha,
- Jim
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
--
Jim Manico
Manicode Security
https://www.manicode.com
Loading...