Re: [OAUTH-WG] Agenda Proposal
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 21 March 2016 22:31 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3C812D121 for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 15:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1SULmrjaDRg for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 15:31:53 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58A3912D10E for <oauth@ietf.org>; Mon, 21 Mar 2016 15:31:53 -0700 (PDT)
Received: from [192.168.10.140] ([94.79.182.6]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MdrK9-1aPd4W2oZh-00PePv; Mon, 21 Mar 2016 23:31:45 +0100
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
References: <56F05664.1010507@gmx.net> <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com> <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <56F07654.2070702@gmx.net>
Date: Mon, 21 Mar 2016 23:31:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="U6b3gGdFaq7xMRvWG8PFXwvgWegTdAKlI"
X-Provags-ID: V03:K0:OdIERVGqY3nHC0UZ1jPbjgY+wBBMO1NCbVyIu9zIbXZDO8Mbp4G FuitAF0cehGPKMu4VVziBDl9UhU1vW4kNkE8oXQsDjDvymDc3zqBQ41LoF2vAQUCRovn1lv tiuEh0HT2yJBYZQ5iEjcDZY/8iUaagK7MdSc/l37X8C6ZPjNLfEOVfV01sUUnvUHrQLREh4 hCMliOWptj0fNYRedGcsQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:XYxbonOJ/Rw=:PSKgqvCEwkCAbLY9/GUbeg 2+FCX4uUVYU2ohtGjE8z8fvkjOB/LzqdV0WDM1cm3MUQW254kOsrwXRGGYayw/lTdWDvZsP1y FTqsVtJZnCufREHJz6xm055SHppIEZ4GjE6qPr3G1szUG15F5H4t0FKbRZI1lbZ+/AUC/mXkm DgXlS2Xi/bmu+H4axY0DW+pYlwUCquMgw+OeRYCPwgEVuOhbDyyvCWFUEadxIDN7NldjPCFgF pvdGP0JnFSeb3l1suosK5kgzbSLZMqq8nK74XVIw2gDrrumNYnZ/h3lywblHc7WK4P+crgKaa NbrRGO54bbE+3L93w+GV5O9Tdgt81fTUpqPer1qq5Xov7QLHXCm7O3iiekCq+bIZbYp8hA3xB 1ASsmZXcCixXB4RZJqMP0VaSiyq1QXSg1e3nvdQHSJGDnSEhYvb0TqfhFfaGg7c4yD5fUYHC/ XyZbZAUopg9Y9JHUuLWtbwR5dmePUE9oFpDUQMgRctNMdInwPfquFUS7rOJJV2vji6ksprDFl N1H/oJ1hfX7rdlJyOPL0XM4Xes/OKjD4S9PNvTmBsD4uOooQIq5nfKw+iJ+ScdZK+ubThxBgw zwwcczAympmsl/K26cweCOLyJIxFDkL3+9nU6mvfdZs87QPKoWNSZz65lm+awsHCFNM/EIfa0 KrE2EqgBZxNMKnW6xb2OFsdCUNV9CNLc3mDM8F52iOEo/ZJIG2vCS8Gxt5qEGsFtEPbqrH2jV oGX2ZPb1ffLURtjY8L/1kNeeXainUsBwUbaa0EmXcxrpN++dMgJMaQdicNI=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/swYrTdzraSqNm0tLgqtG3CPfMS4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Agenda Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 22:31:56 -0000
Hi John, On 03/21/2016 10:47 PM, John Bradley wrote: > For mix up we have the mix-up mitigation draft, and the question of if > the mitigation for the cut and paste attack should stay as part of that > or be separate. That's a good summary. > > There are the two drafts that attempt to prevent leakage of bearer AT by > the RS. > > We don’t necessarily have consensus yet on if this is a real problem > that OAuth needs to solve vs the API/Application using OAuth, as OAuth > itself doesn’t say anything about how the client learns about the RS > other than developer config out of band. > > I can try and lead all or part of it. I think it is fair that this topic is part of a separate discussion item on the agenda, as Phil proposed. Ciao Hannes > > John B. > >> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com>> wrote: >> >> I’m not sure you intend to discuss it in the Mix-up section, but I >> think we need time to discuss the correct configuration of clients and >> the resource/aud relationship issues >> (specifically: draft-campbell-oauth-resource-indicators >> <http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> and draft-hunt-oauth-bound-config >> <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>). >> >> There is apparently overlap with mix-up mitigation (either in reality >> or perception), so I think it is important to have a verbal discussion >> on this to get to consensus and understanding of the separate issues. >> >> As for POP-architecture, that has been on hold pending the mix-up >> discussions and understanding of dynamic client risks. So, not much >> need to discuss from my perspective. >> >> Thanks, >> >> Phil >> >> @independentid >> www.independentid.com <http://www.independentid.com/> >> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >> >> >> >> >> >>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig >>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >>> >>> Hi all, >>> >>> I need your help creating the agenda for the next meeting. We have a 2 >>> 1/2 hour slot and many different topics to discuss. I put a strawman >>> proposal together but there are various things missing: >>> >>> * who volunteers to present and to lead the discussion, >>> * what time allocation is appropriate, >>> * what you are trying to accomplish during the meeting (goals), and >>> * what other items would you like to discuss (I know there are various >>> items missing from the list). >>> >>> So, you input is needed! >>> >>> ------- >>> >>> IETF 95 OAuth Meeting Agenda >>> Wednesday, 10:00-12:30 >>> Chairs: Hannes Tschofenig/Derek Atkins >>> >>> - Status Update (Hannes, 5 min) >>> >>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min ) >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ >>> >>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min) >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ >>> >>> - Proof-of-Possession (TBD, 35 min) >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ >>> >>> - Token Exchange (TBD, 15 min) >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ >>> >>> - OAuth 2.0 for Native Apps (William, 15 min) >>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ >>> >>> - Authentication Method Reference Values (Mike, 15 min) >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ >>> >>> - Conclusion (Hannes, 5 min) >>> >>> ------- >>> >>> The latest version can be found at: >>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth >>> >>> Ciao >>> Hannes & Derek >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] Agenda Proposal torsten
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] Agenda Proposal Peter Saint-Andre
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Anthony Nadalin
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer
- Re: [OAUTH-WG] Agenda Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Agenda Proposal Eran Hammer
- Re: [OAUTH-WG] Agenda Proposal Torsten Lodderstedt
- Re: [OAUTH-WG] Agenda Proposal Michael Thomas
- Re: [OAUTH-WG] Agenda Proposal Barry Leiba
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Justin Richer
- [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Phil Hunt
- Re: [OAUTH-WG] Agenda Proposal John Bradley
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Phil Hunt (IDM)
- Re: [OAUTH-WG] Agenda Proposal Hannes Tschofenig
- Re: [OAUTH-WG] Agenda Proposal Brian Campbell