[OAUTH-WG] OAuth WG -- Quick Status Update

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 05 January 2016 12:28 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1B2A81B2D21 for <oauth@ietfa.amsl.com>; Tue, 5 Jan 2016 04:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id QKuyvEXVfenh for <oauth@ietfa.amsl.com>; Tue, 5 Jan 2016 04:28:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE25B1B2A51 for <oauth@ietf.org>; Tue, 5 Jan 2016 04:28:37 -0800 (PST)
Received: from [] ([]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LbPza-1Zn7FJ1jOk-00kwvv for <oauth@ietf.org>; Tue, 05 Jan 2016 13:28:35 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <568BB6F2.5090407@gmx.net>
Date: Tue, 05 Jan 2016 13:28:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="HkU3lNn7SFRtm6gpgiJ1jku28l952K0tv"
X-Provags-ID: V03:K0:yoaxjmXWXQZEYOfjgmwV9v5HPMe1+PeWfaSUqpwKF3XUeZNaReq vDpdsn+Vte6A0YvrWNOk6NBchDA6LW55FMpwyJ1AhDFmDDXjd6NxhSmigNfQ4hR2XPRAQs6 D95xwqdNqoILNACuL6bFedzfYJ3DwO2q6JYAuNU3OFpOjiQQnOvtU2pX7Jids6iCkmuqfx4 69UrT6by/BJkJboAILQ2g==
X-UI-Out-Filterresults: notjunk:1;V01:K0:JtfbdmbXbOU=:H6kFQuwfCp8QPVpwc0GWoQ ankguxVFBWDkuZMnuKrudgDJANzsmRNOLRxnFQ+vB/EUsBbxNxppEk8Zl++epQ+PyWNnVJec2 mv2wmCiX8qGuEpissWk5oCz0IRcS0RxwifJz58+32sY7FQqQvoZDv50AJcL9bUHQsYLKHRLy5 aY8Mi5D5SH59b7PMA2jcEI9MVSfatTC6W8I3fmNLGM8fe545C3OP/0/oHLvU1PMaincrCu7Qo tWq8i/qspqK1ev22W/Y9NiBZBt+vWWm9ZxZTdw9FnLwet5/VtB2qZL3LSMk7KtWkKXZmYKEU2 tbPb/91ewnv71CpO06c4WTW1No1oy444vHU+CX3ROlZSkEdpRsWL9NK/RMtWrwISC1cZZ3HIu g1VdcaiATEOPmmhazSHNzaHNaMOY8bWwGnsSTnR/tHPLchgOWV3aHlzl0+2cV1aJQ0tO56e25 UlcpIKwrqFCJQEaqTZVOEfQPXkrj7SYwruwfA7iW7W0e1/B/+z9u5xb/hhFRPqB/HYR/ZviT6 JPFDv8LKKfqiHnliMJBmE1RdTQKtjuRWkE96OfvPDbN6TiTAhg8eJZ+CjzcblPtk03qo6oxjA kgpNOV6B0wTgUSAunes0QsVEJXKsvsX59EqYB1qzXfc6I0h/6yKkRTRO1MBzvZOaASr4vJxsW Tvx9mbl3LAuMZEDfGF/uV+C06qbhpPWSsS+uBtdg6YPbn+Z3FqYBqxw8Nl8HEbMtdoofUesaI FRZxroHdtHxRBW27ImURtdlKs/0vEg5dYr1Ene3YzIlk0yrXpzVYVQVvETA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/aQUxnDk7XIbi7vZCx40ZMaudzyg>
Subject: [OAUTH-WG] OAuth WG -- Quick Status Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2016 12:28:40 -0000

Hi all,

as you have seen from my previous mail we are currently in the process
of rechartering the working group. We are doing this to pick up some new
work given the progress we have made over the last couple of months and
to also take into account recent work that help to increase
interoperability of OAuth 2.0 deployments but also to provide bug fixes.

While we have the rechartering discussions we also have to complete the
currently scheduled work items.

Here is a short update on where we are with our WG items:

--- Token Exchange ---

The specification was updated mid December to reflect the decisions at
the Prague IETF meeting. In addition to the update of the open issue
resolution Brian, John and Chuck joined the authors list for their

Please take a look at the updated draft and let us know whether the
document is ready for WGLC.

Here are the minutes from the Prague IETF meeting:

I would need a few volunteers to review the document. Here is the draft:

--- OAuth 2.0 JWT Authorization Request ---

The chairs issued a WGLC on this document and several issues have been
raised. John & Nat are in charge of addressing those comments and I have
asked Nat to collect the open issues and to post them to the list. This
should give us an idea where we are right now with the document and how
to resolve the open issues.

--- Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) ---

This document has been approved by the IESG already for publication, as
you have seen here:

--- OAuth 2.0 Proof-of-Possession (PoP) Security Architecture ---

This document is already in IESG processing but I have asked Kathleen to
delay the publication given that we ran into scoping issues, as
discussed on the list. See

I will post a separate mail to the list to discuss a way forward for
this document.

---  OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key
Distribution ---

This document is on-hold, pending the completion of the architecture.

---  HTTP Signing ---

The draft that describes the solution has expired but Justin presented
the work and the open issues at the Yokohama IETF meeting (see

I will also post a separate mail about how to proceed with it.

Hannes & Derek