[OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 20 February 2017 11:02 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0549212945D for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2017 03:02:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.488
X-Spam-Level:
X-Spam-Status: No, score=-4.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJJg8YolT9RE for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2017 03:02:46 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D56128B38 for <oauth@ietf.org>; Mon, 20 Feb 2017 03:02:46 -0800 (PST)
Received: from [192.168.91.176] ([195.149.223.239]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LyVcA-1cKA9l3CvG-015uHs for <oauth@ietf.org>; Mon, 20 Feb 2017 12:02:43 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
Date: Mon, 20 Feb 2017 12:02:42 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qouKkgSrxmWe50Wmm2aiA4c5vKQ8sSQxp"
X-Provags-ID: V03:K0:iOdHxe1yIEm2nfG7xK2+JSWuDUBbON41L1zAfGQnqDcrswHeN1D 7NdlayJ9Cz4cS//lkix4DxemsWc/g1/YJahqRhuGPOqb+bWan3T3hwmEmdHYMYK0wy37Iwm 4Ob5yT/UO9XgDdeofv80TV8UXDPw377PfL8C7Kqhp8y5N7JRYx1GjQR+rNF9yoOFOXmTNtV pzIoicQ09kL/+4d3mUM/Q==
X-UI-Out-Filterresults: notjunk:1;V01:K0:ysJX7lWEZ6Q=:W3Mlswn6dqvOyiuzYAU4cA 8bkIwHkjiDJtvXbYH2hkT6r/BxijZy15+67v8jBozUsV6GwMBXzUJZVmrRY5CZQiCmLaTqFwk Vu+pPFfnIEgxjqLa9Q0zRn09F/WANFJ9DK/EuKEiHTB301JL5erTiS6y0GuEkXyX7kPkzaxb1 1bjDRrwNZPGlPDeh+woTJotip2DKUWmtXs2ojkl9kVpeDTv8bEwzpItp3i2l25lLI1og4KaOp sY7ubvnWzOy6aeEiOOL7rVBTd9v3Zgapr7/gbadXZC4Ysker2HIAK8wCfEDCtcLXQ1fcIP7bk k1pAlBQJ6PN46pkTBo5quFs4gbkbN5Y2Rh2nnkHKq6ilv+JcdzhjKNoxH2b8zB2oWj71588mc Vjv65VXXSS/6+iDXa7jVzvzmf9M3mw8NuQDrJ4HPXovcs97WF0YAbIPHwQpCleObD4Q9/JPqS LAiiWGk+LJiZwQQ4Q3VvPMe/1sPjcfg2jeyZngYmuIq6wnX5nWNFTWGZrih8Qf/F8VJ0JEGLR jh2pFNxPRQcWgc0YQdMAYp04mrxGdQFDBFm0gERw+mWft2A5e1heWU57czD8NWBiVUeBNIpJL CzHK1bR2sRQqabHlVizs9G+ObiipSvRVpzVTTfWtRs/idlt0hbopEJXgwk+TKSZsYqFiWxk3T MLObTENb2ZIq5+n3Oo+74JsLBrlcPjK3p3ME/RK7AiFOV+7I84HeWI9vZqORSd86yt6Ll46yd NSr6pfFbzANu45ijE/+K6WEEz9xZAOWuARkhRnoWBuOsepszC5Mstkbd6oI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JzNuozZ42jQVC2tbb3u1Z4ECoTk>
Subject: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 11:02:48 -0000

Hi all,

earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).

For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.

Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.

Ciao
Hannes & Derek