[OAUTH-WG] Fwd: IETF#89 OAuth Meeting Summary

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 04 March 2014 18:06 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 906641A02EF for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 10:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmuEqmoOSW8j for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 10:06:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id EBC651A0187 for <oauth@ietf.org>; Tue, 4 Mar 2014 10:06:03 -0800 (PST)
Received: from [192.168.10.253] ([31.133.162.210]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LkgEO-1Wt8553YKy-00aUPN for <oauth@ietf.org>; Tue, 04 Mar 2014 19:05:59 +0100
Message-ID: <53161606.9000404@gmx.net>
Date: Tue, 04 Mar 2014 19:05:58 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <53160654.3030708@gmx.net>
In-Reply-To: <53160654.3030708@gmx.net>
X-Enigmail-Version: 1.5.2
X-Forwarded-Message-Id: <53160654.3030708@gmx.net>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9L572VGHvloP7uaa3arsjmaPNtewaXn2G"
X-Provags-ID: V03:K0:lC+kkexGlMfKvnOalQnLXGQQ4CC+VKBvbl9QBX49H+C0HrO1CVx k/o528BVhzEZeg0y6nrSffDPNUgxPGEosaxXJUxp0Z6YX0/5ivup9LE0HGmRqUQ5sDCssKz YyTIo6fmhEY4L09lLQSp8QAAU54/io2wwsPntMwiB5chcijQmzUd6aksNRmZrebHHxsZTwW 2w8Azt771RoWtFRYCqVHA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vn7_g0kW1qcT1PFN8DJgL2_CQq4
Subject: [OAUTH-WG] Fwd: IETF#89 OAuth Meeting Summary
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 18:06:18 -0000

FYI: Here is the summary I sent to the SAAG list.


-------- Original Message --------
Subject: IETF#89 OAuth Meeting Summary
Date: Tue, 04 Mar 2014 17:59:00 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: saag@ietf.org

This morning we had our OAuth working group meeting and here is a short
summary of the discussion.

* JSON Web Token (JWT)	

Mike Jones, specification editor, has updated the specification to
incorporate the remaining WGLC review comments. The reviewers will have
to check whether their feedback has been addresses appropriately.
The document is then ready to be forwarded to the IESG for publication
but the completion will depend on the finalization of the work in the
JOSE WG.

The chairs will work on the shepherd write-up.

* Assertions

The group worked on the use of assertions for client authentication as
well as an authorization grant type. The work is documented in three
specifications (draft-ietf-oauth-assertions-14,
draft-ietf-oauth-jwt-bearer-07, and draft-ietf-oauth-saml2-bearer-18).

The assertion framework and the SAML bearer specification are completed
and waiting for a publication request by the chairs.

During the meeting we decided to put the third document,
draft-ietf-oauth-jwt-bearer-07, forward to the IESG at the same time as
the other two documents for easier readability. Since
draft-ietf-oauth-jwt-bearer-07 depends on the completion of the JWT
specification, and that furthermore depends on the work in the JOSE WG
to complete there might be a little bit of delay.

* Dynamic Client Registration

A large part of the time was used to discuss this topic. There are
currently three document:
 - Core: draft-ietf-oauth-dyn-reg-16
 - Meta-data: draft-ietf-oauth-dyn-reg-metadata-00
 - Management: draft-ietf-oauth-dyn-reg-management-00

The core and meta-data was seen as rather uncontroversial but these two
documents will require reviews and several persons volunteered.

The management specification, however, raised questions. Concerns were
raised about the maturity of the work and suggestions were to add text
to the draft to highlight that it is only one possible solution.
Changing the document to an Informational or Experimental document was
also suggested. The chairs will schedule an informal discussion during
this IETF week to get a better understanding of the software development
lifecyle and the associated requirements for management of credentials
and configuration parameters.

* Security

The chairs presented a summary of the current state of the work for
developing mechanisms that provide security properties beyond bearer
tokens. The bearer token concept is described in RFC 6750. Currently,
the solutions are documented in draft-ietf-oauth-v2-http-mac-05, and
draft-tschofenig-oauth-hotk-03.

Based on a discussion last Sunday morning the existing documents will be
re-structured and the f2f meeting was used to solicit feedback. We hope
to have text within the next few weeks so that those who are deploying
solutions already today can be involved in the work.

A charter and a milestone update will be necessary to accommodate for
the document split.