- From: tireddy2 via GitHub <sysbot+gh@w3.org>
- Date: Tue, 20 Mar 2018 14:14:16 +0000
- To: public-webrtc-logs@w3.org
OAuth 2.0 framework does no impose any specific format or structure, at the time of developing the specification, proof-of-possession for JWT (JSON) was not picked as it would significantly increase the size of the access token (Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) https://tools.ietf.org/html/rfc7800 also points to the obsolete reference). ACE WG has started discussing using OAuth 2.0 for constrained devices using COAP (runs over both UDP and TCP) and CBOR, and hence CWT (CBOR) binary web token came into play. https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-14, https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-02 and https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-11 are going through changes and not even close to WGLC. Using ACE-CWT-PROOF-OF-POSSESSION only requires changes to the format of the access token and does not require any changes to STUN protocol updates done in RFC7635. We can publish a new draft to use CWT instead of the binary access token defined in RFC7635. The new draft will have to wait for a long time for the above drafts to finalize. In addition, both W3C and TURN server will have to agree to use CWT(CBOR). The best way to move forward immediately as per the suggestion from Harald is for the purposes of W3C webrtc-pc document, is to say that when RFC 7635 is used the details of the token format are not further described here but left to the deployment to decide. -- GitHub Notification of comment by tireddy2 Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1642#issuecomment-374612781 using your GitHub account
Received on Tuesday, 20 March 2018 14:14:20 UTC