IETF Logo Mail Archive

Re: [OAUTH-WG] Agenda Proposal

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 21 March 2016 22:31 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3C812D121 for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 15:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1SULmrjaDRg for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 15:31:53 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58A3912D10E for <oauth@ietf.org>; Mon, 21 Mar 2016 15:31:53 -0700 (PDT)
Received: from [192.168.10.140] ([94.79.182.6]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MdrK9-1aPd4W2oZh-00PePv; Mon, 21 Mar 2016 23:31:45 +0100
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
References: <56F05664.1010507@gmx.net> <9AED819A-6392-4115-99CF-D97E93BD0554@oracle.com> <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <56F07654.2070702@gmx.net>
Date: Mon, 21 Mar 2016 23:31:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <16BDBD68-0851-4650-850E-454EE7D3ABE6@ve7jtb.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="U6b3gGdFaq7xMRvWG8PFXwvgWegTdAKlI"
X-Provags-ID: V03:K0:OdIERVGqY3nHC0UZ1jPbjgY+wBBMO1NCbVyIu9zIbXZDO8Mbp4G FuitAF0cehGPKMu4VVziBDl9UhU1vW4kNkE8oXQsDjDvymDc3zqBQ41LoF2vAQUCRovn1lv tiuEh0HT2yJBYZQ5iEjcDZY/8iUaagK7MdSc/l37X8C6ZPjNLfEOVfV01sUUnvUHrQLREh4 hCMliOWptj0fNYRedGcsQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:XYxbonOJ/Rw=:PSKgqvCEwkCAbLY9/GUbeg 2+FCX4uUVYU2ohtGjE8z8fvkjOB/LzqdV0WDM1cm3MUQW254kOsrwXRGGYayw/lTdWDvZsP1y FTqsVtJZnCufREHJz6xm055SHppIEZ4GjE6qPr3G1szUG15F5H4t0FKbRZI1lbZ+/AUC/mXkm DgXlS2Xi/bmu+H4axY0DW+pYlwUCquMgw+OeRYCPwgEVuOhbDyyvCWFUEadxIDN7NldjPCFgF pvdGP0JnFSeb3l1suosK5kgzbSLZMqq8nK74XVIw2gDrrumNYnZ/h3lywblHc7WK4P+crgKaa NbrRGO54bbE+3L93w+GV5O9Tdgt81fTUpqPer1qq5Xov7QLHXCm7O3iiekCq+bIZbYp8hA3xB 1ASsmZXcCixXB4RZJqMP0VaSiyq1QXSg1e3nvdQHSJGDnSEhYvb0TqfhFfaGg7c4yD5fUYHC/ XyZbZAUopg9Y9JHUuLWtbwR5dmePUE9oFpDUQMgRctNMdInwPfquFUS7rOJJV2vji6ksprDFl N1H/oJ1hfX7rdlJyOPL0XM4Xes/OKjD4S9PNvTmBsD4uOooQIq5nfKw+iJ+ScdZK+ubThxBgw zwwcczAympmsl/K26cweCOLyJIxFDkL3+9nU6mvfdZs87QPKoWNSZz65lm+awsHCFNM/EIfa0 KrE2EqgBZxNMKnW6xb2OFsdCUNV9CNLc3mDM8F52iOEo/ZJIG2vCS8Gxt5qEGsFtEPbqrH2jV oGX2ZPb1ffLURtjY8L/1kNeeXainUsBwUbaa0EmXcxrpN++dMgJMaQdicNI=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/swYrTdzraSqNm0tLgqtG3CPfMS4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Agenda Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 22:31:56 -0000

Hi John,



On 03/21/2016 10:47 PM, John Bradley wrote:
> For mix up we have the mix-up mitigation draft,  and the question of if
> the mitigation for the cut and paste attack should stay as part of that
> or be separate.

That's a good summary.

> 
> There are the two drafts that attempt to prevent leakage of bearer AT by
> the RS.
>    
> We don’t necessarily have consensus yet on if this is a real problem
> that OAuth needs to solve vs the API/Application using OAuth, as OAuth
> itself doesn’t say anything about how the client learns about the RS
> other than developer config out of band.
> 
> I can try and lead all or part of it.

I think it is fair that this topic is part of a separate discussion item
on the agenda, as Phil proposed.

Ciao
Hannes

> 
> John B.
> 
>> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.hunt@oracle.com
>> <mailto:phil.hunt@oracle.com>> wrote:
>>
>> I’m not sure you intend to discuss it in the Mix-up section, but I
>> think we need time to discuss the correct configuration of clients and
>> the resource/aud relationship issues
>> (specifically: draft-campbell-oauth-resource-indicators
>> <http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> and draft-hunt-oauth-bound-config
>> <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>).
>>
>> There is apparently overlap with mix-up mitigation (either in reality
>> or perception), so I think it is important to have a verbal discussion
>> on this to get to consensus and understanding of the separate issues.
>>
>> As for POP-architecture, that has been on hold pending the mix-up
>> discussions and understanding of dynamic client risks.  So, not much
>> need to discuss from my perspective.
>>
>> Thanks,
>>
>> Phil
>>
>> @independentid
>> www.independentid.com <http://www.independentid.com/>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>>
>>
>>
>>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig
>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>
>>> Hi all,
>>>
>>> I need your help creating the agenda for the next meeting. We have a 2
>>> 1/2 hour slot and many different topics to discuss. I put a strawman
>>> proposal together but there are various things missing:
>>>
>>> * who volunteers to present and to lead the discussion,
>>> * what time allocation is appropriate,
>>> * what you are trying to accomplish during the meeting (goals), and
>>> * what other items would you like to discuss (I know there are various
>>> items missing from the list).
>>>
>>> So, you input is needed!
>>>
>>> -------
>>>
>>> IETF 95 OAuth Meeting Agenda
>>> Wednesday, 10:00-12:30
>>> Chairs: Hannes Tschofenig/Derek Atkins
>>>
>>> - Status Update (Hannes, 5 min)
>>>
>>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min )
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>>
>>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min)
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
>>>
>>> - Proof-of-Possession (TBD, 35 min)
>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>>>
>>> - Token Exchange (TBD, 15 min)
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>>>
>>> - OAuth 2.0 for Native Apps (William, 15 min)
>>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
>>>
>>> - Authentication Method Reference Values (Mike, 15 min)
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
>>>
>>> - Conclusion (Hannes, 5 min)
>>>
>>> -------
>>>
>>> The latest version can be found at:
>>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth
>>>
>>> Ciao
>>> Hannes & Derek
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email