=JeffH
2016-04-28 17:55:11 UTC
I don't see any notes posted here <openid-specs-***@lists.openid.net>
In case it is helpful, I was taking personal notes mostly from the Token
Binding perspective, and noted..
* it seems that oauth folk will need to write their own oauth token
binding spec rather than re-use the -tokbind-https spec [1]
* it may be the case that the semantics are equivalent to
referred_token_binding type and so there may be no need to invent a new
TBType
* we ought to explain better in -tokbind-protocol [2] the separation of
the proof-of-possesion & the allocation of Token Binding IDs (TBIDs),
and the incorporation of TBIDs in app-layer objects, eg OAuth tokens,
HTTP cookies, etc.
HTH,
=JeffH
[1] https://tools.ietf.org/html/draft-ietf-tokbind-https
[2] https://tools.ietf.org/html/draft-ietf-tokbind-protocol
In case it is helpful, I was taking personal notes mostly from the Token
Binding perspective, and noted..
* it seems that oauth folk will need to write their own oauth token
binding spec rather than re-use the -tokbind-https spec [1]
* it may be the case that the semantics are equivalent to
referred_token_binding type and so there may be no need to invent a new
TBType
* we ought to explain better in -tokbind-protocol [2] the separation of
the proof-of-possesion & the allocation of Token Binding IDs (TBIDs),
and the incorporation of TBIDs in app-layer objects, eg OAuth tokens,
HTTP cookies, etc.
HTH,
=JeffH
[1] https://tools.ietf.org/html/draft-ietf-tokbind-https
[2] https://tools.ietf.org/html/draft-ietf-tokbind-protocol