Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 March 2017 15:05 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C5F129533 for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 07:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fw8Va3aW7eCZ for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 07:05:47 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AED73128824 for <oauth@ietf.org>; Mon, 6 Mar 2017 07:05:46 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0Mey7N-1cvXJ80Wr3-00OVFe; Mon, 06 Mar 2017 16:05:43 +0100
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net> <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <df464b3a-b2dd-8564-decd-95b4616f7b5c@gmx.net>
Date: Mon, 06 Mar 2017 16:05:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="vU5S6B8SWjAuB6kbGOoXHe0q3SoEjtfEP"
X-Provags-ID: V03:K0:Etr3ojoKU/rW5iu64J4VNi4oSFeQwrOVXnyZ5ns9K7GL0xfz+JQ luqmzEym9XUooFbcYu7jaBuvEKI/kAE86fEqq2k9KiDCC6aBEiZ2LssvW5BnwvmqddbRh89 Whym2xf22NTyIOiJUGpLXVKHFkUsjLkL4zi0SV4w/IbDcStX5BK4FlMlCc8MVLc/o1bJffO YefYcUnU3O/EojsbbSUng==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Ghvfs8uqH2U=:Zv7yyTXsgpXF0/LrisEoOR s+I2Vj/46UlkIP37lHgfy9U+3NaqW9f6XHQ+5Uu+RLqZJMvwkMdWDJ1ETGp9KvB/9vwZg6Qrm fWD/vuxJw5lJViAmpr7XqAZ2bVkhDl1AfuqMEthWDlqa+L7sG3EEnD/sgaiE5C7MTsR03ztmi A5+oBiaFVXgezBtMbdpPk7hSpTwsEatWwCknTjd6h2aFR1bRClQGC2FB7wpWUIQWbv2SbZwJx vg6jgchjUJ5+9ufmKLuRfPjq0zB+TPf25fWv7uRs8MsvQdUbaS5dbB0WT5lWjFq1i/kM/s9oa JMMNaN3CSvfzulZl9RwnHcPxUI+ylHQ0KdjLMQmhXa8fCrdd+KsAJsrH70TgMpq38UvYOpxad WXqoPiVb9NSgh5bBJ8escJO6njRNARvlvhfuYSBU7rD9gzP6hZrRxjvvS+hE1KLAiE8uWjRTJ Ld6j+cyVFK1RyMKsBb5Gl/XMGEcgEQs+7UM9/bmDqjMSYXWxyBemRaxUdrSiHNeAJl5R780AL zswg/ANMmXd9ex4Q9SU9KaW/2+nccHRtivso6NBGrhUYsmWBKuDi7IeKkP76OmotnWLb6UKw9 3UIrLzrAXxZbIbj858TdUpXw4/an2ikQFqwk2ir/AuFiNSs6ONgICAi2M+/On7TGXE5C6Q5UV D8gXXZtuOj/hifhIJSc7N2YOBj6Hz58ut9a+PPHGRKK/PRz603B317evy32sJ/jIRSF4AmZRa p0s6RCBVsLyoEYASSPrd7NZxACCif5KC8FElOgEsHWNa7d/clM/H8ZMUet4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/spt9XInU9kO4lFHo0ZPgO7wMRj0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 15:05:48 -0000

Yes, this matches my understanding of the discussions at the Seoul meeting.

On 03/04/2017 07:10 PM, Torsten Lodderstedt wrote:
> Hi Hannes,
> 
> just for clarification: as far as I remember the proposal in Seoul was to turn the document into a BCP. 
> 
> Is this consistent with your expectation?
> 
> kind regards,
> Torsten.
> 
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig <Hannes.Tschofenig@gmx.net>:
>>
>> Hi all,
>>
>> earlier this month we issued a call for adoption of the OAuth security
>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last f2f
>> meeting).
>>
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation for
>> the next meeting.
>>
>> Note that the intention of the document is to discuss security topics as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it (at
>> a specification level) in a separate document (some of those documents
>> already exist in the working group). This should help us make decisions
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>>
>> Ciao
>> Hannes & Derek
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>