OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
draft-ietf-oauth-pop-architecture-08

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-oauth-pop-architecture-07.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: Kathleen.Moriarty.ietf@gmail.com, kepeng.lkp@alibaba-inc.com, draft-ietf-oauth-pop-architecture@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (OAuth 2.0 Proof-of-Possession (PoP) Security Architecture) to Informational RFC


The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-12-15. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The OAuth 2.0 bearer token specification, as defined in RFC 6750,
  allows any party in possession of a bearer token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent misuse, bearer tokens must be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a client
  needs to demonstrate possession of cryptographic keying material when
  accessing a protected resource.  This document motivates the
  development of the OAuth 2.0 proof-of-possession security mechanism.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ballot/


No IPR declarations have been submitted directly on this I-D.

Shepherd Writeup for draft-ietf-oauth-pop-architecture-05

1. Summary

The document shepherd is Kepeng Li. The responsible Area Director is
Kathleen Moriarty.

This document describes an architecture extending OAuth 2.0 security,
which is today based on the use of bearer tokens (defined in RFC 6750).
Some scenarios demand additional security protection whereby a client
needs to demonstrate possession of cryptographic keying material when
accessing a protected resource.  This document motivates the development
of the OAuth 2.0 proof-of-possession security mechanism.

This specification is an Informational RFC describing the architecture
and requirements.

2. Review and Consensus

The document was initially developed by a design team and then accepted
by the working group. There is strong consensus behind this work.

No IANA actions are required and the document does not contain formal
language.

3. Intellectual Property

Each author has confirmed conformance with BCP 78/79. There are no IPR
disclosures on the document.

http://www.ietf.org/mail-archive/web/oauth/current/msg14981.html
http://www.ietf.org/mail-archive/web/oauth/current/msg14982.html
http://www.ietf.org/mail-archive/web/oauth/current/msg14983.html
http://www.ietf.org/mail-archive/web/oauth/current/msg14984.html
http://www.ietf.org/mail-archive/web/oauth/current/msg15061.html

4. Other Points

This document contains (informative) references to technical
specifications developed within the OAuth working group that offer the
enhanced security functionality.