Re: [OAUTH-WG] Agenda Proposal

John Bradley <ve7jtb@ve7jtb.com> Mon, 21 March 2016 21:47 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E175612D0CB for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 14:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lT8RP_EhfcKn for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 14:47:40 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF58812D09F for <oauth@ietf.org>; Mon, 21 Mar 2016 14:47:26 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id l68so168510983wml.0 for <oauth@ietf.org>; Mon, 21 Mar 2016 14:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=7dcmI7vqbJD+gY35yd0UfYVtTuEK9xXgSwRk/6+ROt8=; b=e86zBQty3Q4fAW5G5G3f4Kl60cLS0KaC1Q39PWkvUyN4CHawPlafN1sxrDQXxAv/Go ois3udBNJHmDQlSEmog56GGbUuDX18RS4qerkj6KJ/jX9JrL1mQSRLaV6T7HHS4SQFFz gUWumdrg/7YBeTSdJoatXc6t+HK8tyGmXnp9Wdnml5l8mcB+YdDsSYUMV8BNXOc5T5vj QPCLcic0IZMrf8TDBkQQTD80bD1RcC5Unt6ZG3ER0ha2V4rg2PxzKQqdnZpBR9ja7yXx 6RvbQgb6FBiuW977Ibxf0e5Ka6WrF7MNkMQG8Tbo4YenTsGcPJixzIT4CGegLPqr8hg2 j1CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=7dcmI7vqbJD+gY35yd0UfYVtTuEK9xXgSwRk/6+ROt8=; b=j0PdV/7tWm3QsloBmKtr6SGBcCb9m7NY1Ni+PyvAvzNuHJyVmLjDwT4PnzSO9QW41j NV5EfJskhy2ifWHpp2V0sBZHSw1V4NeBCRc7/2NgKwzcyK9ZMn76BZDSzG6upv12lFf1 S+e/kMXmUJssTljknTJdLLXC7PJc+uFCq6hq3RjjKTcku7XP0cpI7SCjGzdhmi044RwL OZBmZmBa6cIPsue57Vkhy74nM6z01YnZdPQD1/IOmAwfdsg156q7QdFqVr1vW5RBMNvh OKTO4Cxzlh0MzBz1Q7f221pvZN0lX3k2FoJhYtM/MM9lB87O3P86dIOX/8QgBFyUC6ZQ CRzA==
X-Gm-Message-State: AD7BkJKLfo86Mj7je2nRLoJ6zWSWaGvU1CGiSGTzI+hri+1mv+hzAlNYzr0QG2FiJMhmGg==
X-Received: by 10.194.60.44 with SMTP id e12mr32480972wjr.137.1458596845345; Mon, 21 Mar 2016 14:47:25 -0700 (PDT)
Received: from [10.143.194.212] ([31.55.56.113]) by smtp.gmail.com with ESMTPSA id w188sm14285292wmw.19.2016.03.21.14.47.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Mar 2016 14:47:23 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_524EAA9C-7D22-4A93-B4D3-3A1AC332AC19"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com>
Date: Mon, 21 Mar 2016 21:47:22 +0000
Message-Id: <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com>
References: <56F05664.1010507@gmx.net> <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Zi4nQjga8w_kjwDhcQCqZAIRHyM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Agenda Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 21:47:43 -0000

For mix up we have the mix-up mitigation draft,  and the question of if the mitigation for the cut and paste attack should stay as part of that or be separate.

There are the two drafts that attempt to prevent leakage of bearer AT by the RS.
   
We don’t necessarily have consensus yet on if this is a real problem that OAuth needs to solve vs the API/Application using OAuth, as OAuth itself doesn’t say anything about how the client learns about the RS other than developer config out of band.

I can try and lead all or part of it.

John B.

> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> I’m not sure you intend to discuss it in the Mix-up section, but I think we need time to discuss the correct configuration of clients and the resource/aud relationship issues (specifically: draft-campbell-oauth-resource-indicators <http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> and draft-hunt-oauth-bound-config <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>).
> 
> There is apparently overlap with mix-up mitigation (either in reality or perception), so I think it is important to have a verbal discussion on this to get to consensus and understanding of the separate issues.
> 
> As for POP-architecture, that has been on hold pending the mix-up discussions and understanding of dynamic client risks.  So, not much need to discuss from my perspective.
> 
> Thanks,
> 
> Phil
> 
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> 
>> Hi all,
>> 
>> I need your help creating the agenda for the next meeting. We have a 2
>> 1/2 hour slot and many different topics to discuss. I put a strawman
>> proposal together but there are various things missing:
>> 
>> * who volunteers to present and to lead the discussion,
>> * what time allocation is appropriate,
>> * what you are trying to accomplish during the meeting (goals), and
>> * what other items would you like to discuss (I know there are various
>> items missing from the list).
>> 
>> So, you input is needed!
>> 
>> -------
>> 
>> IETF 95 OAuth Meeting Agenda
>> Wednesday, 10:00-12:30
>> Chairs: Hannes Tschofenig/Derek Atkins
>> 
>> - Status Update (Hannes, 5 min)
>> 
>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min )
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/>
>> 
>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min)
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
>> 
>> - Proof-of-Possession (TBD, 35 min)
>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>> 
>> - Token Exchange (TBD, 15 min)
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>> 
>> - OAuth 2.0 for Native Apps (William, 15 min)
>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
>> 
>> - Authentication Method Reference Values (Mike, 15 min)
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
>> 
>> - Conclusion (Hannes, 5 min)
>> 
>> -------
>> 
>> The latest version can be found at:
>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth
>> 
>> Ciao
>> Hannes & Derek
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth