[OAUTH-WG] OAuth Status

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 09 January 2015 10:18 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52AB71A8741 for <oauth@ietfa.amsl.com>; Fri, 9 Jan 2015 02:18:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SGudWiQxUit for <oauth@ietfa.amsl.com>; Fri, 9 Jan 2015 02:18:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95A91A8740 for <oauth@ietf.org>; Fri, 9 Jan 2015 02:18:10 -0800 (PST)
Received: from [172.16.254.109] ([80.92.122.140]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M6Ana-1XtVsy2bko-00y7vr for <oauth@ietf.org>; Fri, 09 Jan 2015 11:18:07 +0100
Message-ID: <54AFAADC.2080106@gmx.net>
Date: Fri, 09 Jan 2015 11:18:04 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="LS6hsTobj04FD2A275l2hDrR0IaiOQnMh"
X-Provags-ID: V03:K0:PyB+9PzGoX+4iR/SpsoclgvdDJBjfgE+XtTladBNXvhJtQNkfNM d4wuW07Fsd4PrBjtxuLdI6fC88GHoeVvxYmdSlsjq2ovT/e5fgl7wzCzQ3QvMyRTFmJ3n4d iMm4R+aqgPGMf3a7p8WUgHcJIGwToomtysesSZdHmeBeNwOVzHe0kH6ANpGm7DoBJnp5VFa DxSQV9xiWuRc+ZKkh+pKg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/u-lI46oT2ImSpzx1wQEsmfpBBs8>
Subject: [OAUTH-WG] OAuth Status
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 10:18:14 -0000

Hi all,

Happy New Year!

I thought it would be good to quickly summarize where we are with our
work in OAuth as we start into 2015.

Late last year we issued a few working group last calls.

* SPOP
https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/

The WGLC was started already in the summer and led to a huge amount of
feedback. This lead to an improved draft.

Nat, John, Naveen: What is the status of the document? What are the open
issues?

At a minimum there is the issue with the name of the document since it
actually does not propose a proof-of-
possession solution.

* Token Introspection
https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/

Justin told me that he believes the document is ready for the IESG. I
will do my shepherd write-up and shepherd review of the latest version
before I hand it over to Kathleen.

* Dynamic Client Registration
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-21

We had a fair amount of discussion about this document on the mailing
list in response to my shepherd write-up. A new version of the document
has been published and I will have to double-check whether the review
comments have been incorporated. Then, the document will be ready for
the IESG.

* OAuth 2.0 Proof-of-Possession (PoP) Security Architecture	
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/

We issued a WGLC and received comments, which had not yet been
incorporated. The obvious next step is to publish a new version of the
document with the comments addressed. There is also the new mailing list
<unbearable> and we have to figure out how this aligns with the work we
are doing. Info is here:
http://www.ietf.org/mail-archive/web/oauth/current/msg13997.html

Derek will be the shepherd for that document.

I also wanted to produce a short write-up in response to a news story
late last year that blamed OAuth for getting things wrong while the real
issue is rather with the way how responsibility are distributed among
different players in the eco-system. Here is the link to the discussion
and the news story:
http://www.ietf.org/mail-archive/web/oauth/current/msg13929.html

We also have various documents in IESG processing, namely
 * JWT
 * Assertion Framework
 * SAML Bearer Assertion
 * JWT Bearer Assertion

Kathleen asked us to do a final review of the documents to make sure
that various review comments have been addressed appropriately. I am
planning to have a look at it today.

There is also a webinar upcoming, namely about Kantara UMA. This webinar
will be a bit different than earlier presentations you have heard about
UMA since it will be focused on Internet of Things. This is part of the
webinar series we do in the IETF ACE working group. Here is a link to
the announcement:
http://www.ietf.org/mail-archive/web/oauth/current/msg14015.html

Related to the work in this group is the SASL OAuth draft, which is
currently in WGLC in the KITTEN working group and you might want to do a
quick review of the document:
https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-18

Here is the WGLC announcement from the KITTEN chairs:
http://www.ietf.org/mail-archive/web/oauth/current/msg14020.html

There is also the "authentication in OAuth" topic that we wanted to
progress. There is a write-up from Justin available, which will inform
the debate, but there was also interest to do something more official in
the working group. We discussed this at the last IETF meeting.

Also at the last IETF meeting we briefly spoke about the token
exchange/token delegation work and I got the impression that there is a
bit of confusion about the scope of the work and what functionality
should be covered in what document.

The last two topics seem to be suitable for conference calls. So, we
will try to arrange something to progress these topics.

Finally, there is the open redirect Antonio raised in
http://www.ietf.org/mail-archive/web/oauth/current/msg13367.html. The
attack might be difficult to understand but it is still worthwhile
to make an attempt to explain it to a wider audience (and also the
mitigation technique). I believe a draft would be quite suitable for
this purpose and I have spoken with Antonio about it already.

These are the items that come to mind right now. A lot of work ahead of
us, as it seems.

What is missing from the list? Feedback?

Ciao
Hannes & Derek