IETF Logo Mail Archive

Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

John Bradley <ve7jtb@ve7jtb.com> Sun, 05 March 2017 23:17 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25ABA129447 for <oauth@ietfa.amsl.com>; Sun, 5 Mar 2017 15:17:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oFxCLVgLLWs for <oauth@ietfa.amsl.com>; Sun, 5 Mar 2017 15:17:32 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A624126579 for <oauth@ietf.org>; Sun, 5 Mar 2017 15:17:32 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id 1so129199939qkl.3 for <oauth@ietf.org>; Sun, 05 Mar 2017 15:17:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=lb23Rc38Y2+r59lqObG+kxQfBImuUcR8a6nJrHbxFaY=; b=tt6UM3kj5qHqlFdZU/Uy7GzGJnzqcbB1GFC95wRxm6Navu03LFsVxZZzT7ncni/uh4 NSKRk2S8GTYdVWouQ1Y+GQ3n4ybxgNbJgciJA/ud7/3A7YYOotO2lwMr5WNC5OefYhbW uvAY0GSwgDK7kEzuMy9omhfs3KaqMczQ275Lu/JCeNwwX9VmeLD6yRNBw9vjS+oTyjmC QYlbC2bmhmqNtAW2ui4ketM26YS56Upz6WjsX6EOtHVGkkTPYt5iAoryXAFd53voHna7 e1oZS3T/nM1h3gpegmbwHGG4XP7cCOKypi2j3uB251nnC5OoQpDiVT3NHow9LD5Czgf2 kniA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lb23Rc38Y2+r59lqObG+kxQfBImuUcR8a6nJrHbxFaY=; b=qPOl2j8VO8nJWtbu8d0BPm4ws2IWOcj2Au7gyzDvKXHnqmF/o3njejEdYip35wV+1t vON/s7jSnFexbTwSv0klYJkxj9S5OlImvRXOqRlE04kfytlKgNs6xYIJnRA8/x/h/StI m7OAyiNvFLG050Q0MXHoGCESVyZf0GhpG2Bs/s0KzcyN4rekF1NtB3ol2u8IBsznPBRC x+NfX1xXoGDZiHakoFY7XZilf+WuFvc8pd3In1+Lq17mpJG+PjkESXuotfzeM9WI/X9Y OIYH772jJPdTwcIYw3f04BVDrd5mC/u6tcTtleNKo7nOBqadJiZwmRspMQU6s38Kv4MP DB9Q==
X-Gm-Message-State: AMke39kK93i1liNnP5ixYirokMOuAT2s5FVubSEkeBW3gMIrMlZd8PX5JYGBf6AKPP/I+Z1M
X-Received: by 10.55.4.146 with SMTP id 140mr13958383qke.23.1488755851611; Sun, 05 Mar 2017 15:17:31 -0800 (PST)
Received: from [192.168.86.130] ([191.115.68.238]) by smtp.gmail.com with ESMTPSA id r189sm12226901qkf.58.2017.03.05.15.17.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 Mar 2017 15:17:30 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
Date: Sun, 05 Mar 2017 20:17:27 -0300
Message-Id: <89D9AE0C-F1B4-49D1-8BD3-49A44667FB6F@ve7jtb.com>
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net> <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114c9c7ab4a494054a03fbf0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9HFDMDpUxKvWbsCxlCAOmG91MQE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Mar 2017 23:17:34 -0000

A BCP is still assigned a RFC number.  

The intent is to have BCP number as well.  

EG BCP195’s current instance is RFC 7525.

The intent is to have a BCP series but the process is largely the same as I understand it.

John B.


> On Mar 4, 2017, at 3:10 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> Hi Hannes,
> 
> just for clarification: as far as I remember the proposal in Seoul was to turn the document into a BCP. 
> 
> Is this consistent with your expectation?
> 
> kind regards,
> Torsten.
> 
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig <Hannes.Tschofenig@gmx.net>:
>> 
>> Hi all,
>> 
>> earlier this month we issued a call for adoption of the OAuth security
>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last f2f
>> meeting).
>> 
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation for
>> the next meeting.
>> 
>> Note that the intention of the document is to discuss security topics as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it (at
>> a specification level) in a separate document (some of those documents
>> already exist in the working group). This should help us make decisions
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email