IETF Logo Mail Archive

Re: [OAUTH-WG] Agenda Proposal

Brian Campbell <bcampbell@pingidentity.com> Tue, 22 March 2016 13:21 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FE112D5DC for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 06:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d29JKSA9m8Xl for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 06:21:03 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD8EB12D7A9 for <oauth@ietf.org>; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id 124so90814578iov.3 for <oauth@ietf.org>; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dozZV7j6s137dFP6y6lJKzvM85pNbniPdEQ/ONHLLtI=; b=SjZRdk0aCWHsRh/3p49eFK18OCfw2uVyEqdqbYzd+Ny4xqlzmBk2fBhYXm75GdI/E5 9Iy7cY5DZyXK2uzt/t+fY5bMNmv0GCTfsWm2TXQtcFtsuj8gxLbxhPy/uXim4vfij23a bAMZfTWX/bk59/Z1m3YFM+GiVBMPtZA35Dg6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dozZV7j6s137dFP6y6lJKzvM85pNbniPdEQ/ONHLLtI=; b=Sph/WV1U6iBlcQGVHUen0Ay+9tg4gWZmuDBWpulwMDZrR4328UUZqMoSQar2dFvidR ed+Urb9ZY+esl2fwkEni4n5cVCF1f7k6r7MnyvdBY8cEnRNwH0ehf+YiCObg3JWTAZs0 KSDPG+coHWh5IR/eXp7aekOyuyyjFfhGHtxduQB8IC6fy7cqArTVJXb7TALCZZ3XDVin 4c/t+3/trra5ivk1hQxc0kVNtCw217jr8DrOVUvfgPIWohDFcJr61E6TyhGyHezSyuYv xEXtbwEAKxUHNunHVjQCbvBmD+0sMi74U5BhmkycKB/U7DUDUpsJqvJVKdN31Mtkdgpt XIYQ==
X-Gm-Message-State: AD7BkJLYwP4pnfmv78VGyoXwn3AlmsDtNode1vzqKZ64nxL+7H/kwDsft15l6FUDBdKl6pnw+Cftjx26Tc6Ecd1R
X-Received: by 10.107.137.152 with SMTP id t24mr38436999ioi.147.1458652860139; Tue, 22 Mar 2016 06:21:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Tue, 22 Mar 2016 06:20:30 -0700 (PDT)
In-Reply-To: <56F07654.2070702@gmx.net>
References: <56F05664.1010507@gmx.net> <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com> <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com> <56F07654.2070702@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Mar 2016 07:20:30 -0600
Message-ID: <CA+k3eCT5EeRA288YaVEZopGA=yW2_1dXQsAbUd5R80JO-KYF3w@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a113f9022945f84052ea315e2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-KiNb7ctCfYzzLNuMpuAa8wHzDE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Agenda Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 13:21:06 -0000

I'll take Token Exchange. It'll be a status update and quick look at some
open issues. Hope to keep it short.

+1 the characterization of mix-up mitigation.

I can also talk about draft-campbell-oauth-resource-indicators, however,
maybe it should be part of the somewhat larger conversation that John has
kindly volunteered to lead.

I realize we can't cover everything but "OAuth 2.0 Authorization Server
Discovery Metadata" seems conspicuously absent from the agenda.



On Mon, Mar 21, 2016 at 4:31 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi John,
>
>
>
> On 03/21/2016 10:47 PM, John Bradley wrote:
> > For mix up we have the mix-up mitigation draft,  and the question of if
> > the mitigation for the cut and paste attack should stay as part of that
> > or be separate.
>
> That's a good summary.
>
> >
> > There are the two drafts that attempt to prevent leakage of bearer AT by
> > the RS.
> >
> > We don’t necessarily have consensus yet on if this is a real problem
> > that OAuth needs to solve vs the API/Application using OAuth, as OAuth
> > itself doesn’t say anything about how the client learns about the RS
> > other than developer config out of band.
> >
> > I can try and lead all or part of it.
>
> I think it is fair that this topic is part of a separate discussion item
> on the agenda, as Phil proposed.
>
> Ciao
> Hannes
>
> >
> > John B.
> >
> >> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.hunt@oracle.com
> >> <mailto:phil.hunt@oracle.com>> wrote:
> >>
> >> I’m not sure you intend to discuss it in the Mix-up section, but I
> >> think we need time to discuss the correct configuration of clients and
> >> the resource/aud relationship issues
> >> (specifically: draft-campbell-oauth-resource-indicators
> >> <
> http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt>
> and draft-hunt-oauth-bound-config
> >> <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>).
> >>
> >> There is apparently overlap with mix-up mitigation (either in reality
> >> or perception), so I think it is important to have a verbal discussion
> >> on this to get to consensus and understanding of the separate issues.
> >>
> >> As for POP-architecture, that has been on hold pending the mix-up
> >> discussions and understanding of dynamic client risks.  So, not much
> >> need to discuss from my perspective.
> >>
> >> Thanks,
> >>
> >> Phil
> >>
> >> @independentid
> >> www.independentid.com <http://www.independentid.com/>
> >> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> >>
> >>
> >>
> >>
> >>
> >>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig
> >>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I need your help creating the agenda for the next meeting. We have a 2
> >>> 1/2 hour slot and many different topics to discuss. I put a strawman
> >>> proposal together but there are various things missing:
> >>>
> >>> * who volunteers to present and to lead the discussion,
> >>> * what time allocation is appropriate,
> >>> * what you are trying to accomplish during the meeting (goals), and
> >>> * what other items would you like to discuss (I know there are various
> >>> items missing from the list).
> >>>
> >>> So, you input is needed!
> >>>
> >>> -------
> >>>
> >>> IETF 95 OAuth Meeting Agenda
> >>> Wednesday, 10:00-12:30
> >>> Chairs: Hannes Tschofenig/Derek Atkins
> >>>
> >>> - Status Update (Hannes, 5 min)
> >>>
> >>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min )
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
> >>>
> >>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min)
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
> >>>
> >>> - Proof-of-Possession (TBD, 35 min)
> >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
> >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
> >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
> >>>
> >>> - Token Exchange (TBD, 15 min)
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
> >>>
> >>> - OAuth 2.0 for Native Apps (William, 15 min)
> >>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
> >>>
> >>> - Authentication Method Reference Values (Mike, 15 min)
> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
> >>>
> >>> - Conclusion (Hannes, 5 min)
> >>>
> >>> -------
> >>>
> >>> The latest version can be found at:
> >>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth
> >>>
> >>> Ciao
> >>> Hannes & Derek
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org <mailto:OAuth@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email