Re: [OAUTH-WG] Agenda Proposal
Brian Campbell <bcampbell@pingidentity.com> Tue, 22 March 2016 13:21 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FE112D5DC for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 06:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d29JKSA9m8Xl for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 06:21:03 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD8EB12D7A9 for <oauth@ietf.org>; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id 124so90814578iov.3 for <oauth@ietf.org>; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dozZV7j6s137dFP6y6lJKzvM85pNbniPdEQ/ONHLLtI=; b=SjZRdk0aCWHsRh/3p49eFK18OCfw2uVyEqdqbYzd+Ny4xqlzmBk2fBhYXm75GdI/E5 9Iy7cY5DZyXK2uzt/t+fY5bMNmv0GCTfsWm2TXQtcFtsuj8gxLbxhPy/uXim4vfij23a bAMZfTWX/bk59/Z1m3YFM+GiVBMPtZA35Dg6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dozZV7j6s137dFP6y6lJKzvM85pNbniPdEQ/ONHLLtI=; b=Sph/WV1U6iBlcQGVHUen0Ay+9tg4gWZmuDBWpulwMDZrR4328UUZqMoSQar2dFvidR ed+Urb9ZY+esl2fwkEni4n5cVCF1f7k6r7MnyvdBY8cEnRNwH0ehf+YiCObg3JWTAZs0 KSDPG+coHWh5IR/eXp7aekOyuyyjFfhGHtxduQB8IC6fy7cqArTVJXb7TALCZZ3XDVin 4c/t+3/trra5ivk1hQxc0kVNtCw217jr8DrOVUvfgPIWohDFcJr61E6TyhGyHezSyuYv xEXtbwEAKxUHNunHVjQCbvBmD+0sMi74U5BhmkycKB/U7DUDUpsJqvJVKdN31Mtkdgpt XIYQ==
X-Gm-Message-State: AD7BkJLYwP4pnfmv78VGyoXwn3AlmsDtNode1vzqKZ64nxL+7H/kwDsft15l6FUDBdKl6pnw+Cftjx26Tc6Ecd1R
X-Received: by 10.107.137.152 with SMTP id t24mr38436999ioi.147.1458652860139; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Tue, 22 Mar 2016 06:20:30 -0700 (PDT)
In-Reply-To: <56F07654.2070702@gmx.net>
References: <56F05664.1010507@gmx.net> <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com> <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com> <56F07654.2070702@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Mar 2016 07:20:30 -0600
Message-ID: <CA+k3eCT5EeRA288YaVEZopGA=yW2_1dXQsAbUd5R80JO-KYF3w@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a113f9022945f84052ea315e2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-KiNb7ctCfYzzLNuMpuAa8wHzDE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Agenda Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 13:21:06 -0000
I'll take Token Exchange. It'll be a status update and quick look at some open issues. Hope to keep it short. +1 the characterization of mix-up mitigation. I can also talk about draft-campbell-oauth-resource-indicators, however, maybe it should be part of the somewhat larger conversation that John has kindly volunteered to lead. I realize we can't cover everything but "OAuth 2.0 Authorization Server Discovery Metadata" seems conspicuously absent from the agenda. On Mon, Mar 21, 2016 at 4:31 PM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi John, > > > > On 03/21/2016 10:47 PM, John Bradley wrote: > > For mix up we have the mix-up mitigation draft, and the question of if > > the mitigation for the cut and paste attack should stay as part of that > > or be separate. > > That's a good summary. > > > > > There are the two drafts that attempt to prevent leakage of bearer AT by > > the RS. > > > > We don’t necessarily have consensus yet on if this is a real problem > > that OAuth needs to solve vs the API/Application using OAuth, as OAuth > > itself doesn’t say anything about how the client learns about the RS > > other than developer config out of band. > > > > I can try and lead all or part of it. > > I think it is fair that this topic is part of a separate discussion item > on the agenda, as Phil proposed. > > Ciao > Hannes > > > > > John B. > > > >> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.hunt@oracle.com > >> <mailto:phil.hunt@oracle.com>> wrote: > >> > >> I’m not sure you intend to discuss it in the Mix-up section, but I > >> think we need time to discuss the correct configuration of clients and > >> the resource/aud relationship issues > >> (specifically: draft-campbell-oauth-resource-indicators > >> < > http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> > and draft-hunt-oauth-bound-config > >> <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>). > >> > >> There is apparently overlap with mix-up mitigation (either in reality > >> or perception), so I think it is important to have a verbal discussion > >> on this to get to consensus and understanding of the separate issues. > >> > >> As for POP-architecture, that has been on hold pending the mix-up > >> discussions and understanding of dynamic client risks. So, not much > >> need to discuss from my perspective. > >> > >> Thanks, > >> > >> Phil > >> > >> @independentid > >> www.independentid.com <http://www.independentid.com/> > >> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > >> > >> > >> > >> > >> > >>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig > >>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > >>> > >>> Hi all, > >>> > >>> I need your help creating the agenda for the next meeting. We have a 2 > >>> 1/2 hour slot and many different topics to discuss. I put a strawman > >>> proposal together but there are various things missing: > >>> > >>> * who volunteers to present and to lead the discussion, > >>> * what time allocation is appropriate, > >>> * what you are trying to accomplish during the meeting (goals), and > >>> * what other items would you like to discuss (I know there are various > >>> items missing from the list). > >>> > >>> So, you input is needed! > >>> > >>> ------- > >>> > >>> IETF 95 OAuth Meeting Agenda > >>> Wednesday, 10:00-12:30 > >>> Chairs: Hannes Tschofenig/Derek Atkins > >>> > >>> - Status Update (Hannes, 5 min) > >>> > >>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min ) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > >>> > >>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ > >>> > >>> - Proof-of-Possession (TBD, 35 min) > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ > >>> > >>> - Token Exchange (TBD, 15 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ > >>> > >>> - OAuth 2.0 for Native Apps (William, 15 min) > >>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ > >>> > >>> - Authentication Method Reference Values (Mike, 15 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ > >>> > >>> - Conclusion (Hannes, 5 min) > >>> > >>> ------- > >>> > >>> The latest version can be found at: > >>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth > >>> > >>> Ciao > >>> Hannes & Derek > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org <mailto:OAuth@ietf.org> > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] Agenda Proposal torsten
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] Agenda Proposal Peter Saint-Andre
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer
- Re: [OAUTH-WG] Agenda Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer
- Re: [OAUTH-WG] Agenda Proposal Torsten Lodderstedt
- Re: [OAUTH-WG] Agenda Proposal Michael Thomas
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Justin Richer
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Phil Hunt
- Re: [OAUTH-WG] Agenda Proposal John Bradley
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Phil Hunt (IDM)
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Brian Campbell