[saag] OAuth IETF 103 Summary
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 08 November 2018 05:11 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87184127332 for <saag@ietfa.amsl.com>; Wed, 7 Nov 2018 21:11:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xaNYCMsdpXHR for <saag@ietfa.amsl.com>; Wed, 7 Nov 2018 21:11:33 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0085.outbound.protection.outlook.com [104.47.1.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A22C126CB6 for <saag@ietf.org>; Wed, 7 Nov 2018 21:11:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mqg+6jEGIlYcAPbq7GbofjZzMwAW8ft5GS99HkdqyG4=; b=VeFr7tBB5613YJtMNVcniQy69A7IHaTUGfuP6kBhhNa6lr6o917pws3cTXD9psl3n9SVZOT/W4MRLPCsexv0W9CIsN+U8Ur3X5dfhEOIT+6VxG1Py5Ncb0gSqPmot2L6GPj+fDaYDRjcIwXZrLezpgl1HyIbI6EvUxjJWIp3yZw=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1424.eurprd08.prod.outlook.com (10.167.198.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.20; Thu, 8 Nov 2018 05:11:29 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7165:6199:a54f:510c]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7165:6199:a54f:510c%2]) with mapi id 15.20.1294.034; Thu, 8 Nov 2018 05:11:29 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: OAuth IETF 103 Summary
Thread-Index: AdR3IXPMndl0w+lyRTODNo3lzyqNwg==
Date: Thu, 08 Nov 2018 05:11:28 +0000
Message-ID: <VI1PR0801MB21124837FE4929EF5CD79AA4FAC50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [2001:67c:1232:144:803e:c729:2afe:9bb6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1424; 6:Xi5M9XlZd6G83wczbTgoEDhp1TcCgiL4OupG1xRH/bZdSjVhTuzjIOGWA5ceECrgyzazQVs8JQvFj0KcxB/i0PeAohVSZR0d6FQT+ejNqXiNailcqjqeKMtxyWtxha9uVYAO3ydN2DCXyG6KikSWamdSduSl5BRu9qNE4WD49RfxCe9xWkcQL5A6DtlQVaQftFzg+9/Z0P7lybSVTXsjjVlok3uUwcHliVmWYPHnXbfEbQm/n/NmNhuNANfrq3waEd2cgrIMc6snchEz1cdWL7wi15InOhJm4nx/XFs1qREz2rcuuF2Nvhsw5sHa/Rz+IyzfzYq877YqxymAJfxSYBm+z8s+WHwPiU4ZjNeywlbkfk6aJgVybry7YiIrktWQNXSQEExaqDjzOUd6YOsy++IEqtBM7q2Ijb7+jZXmz24LjcKqZ36dXXDHReMCU0GPess3Zv77S+DJVchC9x7G6Q==; 5:sncSbzH0NNWUVdHWFCXauElCeyZ3GeAKQl/vrnPXBQhzI+7ztbo1DLNVXhlZwuwsJZ7LxqrrWBS0TQL8eH4MTpvr76a036fkIv2osBs5GK4tlnMNclUCdZJ09w/wkFPQwk1MaLdHxINfbpnQwhFFLjZsjOj4YgCNdfrZ1bk7xmA=; 7:mwlk134hwiahrnRjw0A4acE83MaHsiWsq1Mqlopg/eO7XzzLz6venhdSZGwg5Yz/N+6iBoZZwfeXtk8/f2EdDctgNhEqHdERP6ypokDGA2uA4Sd7YE2OhD3zlEjCfWVCohp3HXcuqYbe4Fy3DmFXJQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 6402e278-0cc1-473e-4eab-08d64538a3ec
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1424;
x-ms-traffictypediagnostic: VI1PR0801MB1424:
x-microsoft-antispam-prvs: <VI1PR0801MB14247DF6D4554B928DA610CDFAC50@VI1PR0801MB1424.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123558120)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1424; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1424;
x-forefront-prvs: 0850800A29
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(366004)(396003)(39860400002)(189003)(199004)(40434004)(7736002)(486006)(2351001)(74316002)(2906002)(106356001)(478600001)(476003)(25786009)(2501003)(316002)(33656002)(14454004)(68736007)(7116003)(72206003)(6916009)(97736004)(561944003)(9686003)(6306002)(55016002)(54896002)(14444005)(5024004)(8676002)(256004)(5640700003)(102836004)(6506007)(2900100001)(71200400001)(71190400001)(186003)(6116002)(66574009)(5660300001)(790700001)(53936002)(86362001)(8936002)(81156014)(81166006)(99286004)(7696005)(46003)(105586002)(1730700003)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1424; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:3; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 7u8+ztPTFJM4eMmVraW4OO5Mu/NplVT33xDXXaR17sg5W702NhCuziQnEl02FFQfegnftapJ3Y9R6GELXkLrgGVeOiwQNDLz11tYXVfb+Xh04qAM6oK525OlwIr07rLFwHbg69IcoMRJDdR88XigTw4g46jH75OfSzE4B5DmEQAud9qTG/KscWiYe/FEImr//IyPtQpoQXqsVPzXF7b/k0MbOqN9CV64CYx44+ZvbkfNwGyL8kgxMOr3sjc3HGETzKcRXSH8ZdfM4d4/5EJeyWW7NhkDqp2yuJt4vsppXPPSGr7zB8Waccm6yikg15g7QdyP3zrIhE6FStVTfyxYbQ5Y9mCK28I+8ActHTXNHYw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21124837FE4929EF5CD79AA4FAC50VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6402e278-0cc1-473e-4eab-08d64538a3ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2018 05:11:28.8910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1424
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/E6759G0cJSc9MuWX1w7Hr7cpk8w>
Subject: [saag] OAuth IETF 103 Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 05:11:36 -0000
We had two productive sessions in OAuth. The key highlights are: - The group ran into problems with the work on token binding since browser support is not looking good. Additionally, we couldn't find out how to secure the implicit flow using token binding. It appears like OAuth Mutual TLS (MTLS) is the way to go forward. - The OAuth security recommendations described in draft-ietf-oauth-securtity-topics now states that the implicit flow is not a viable choice due to the security challenges it poses. The recommendation is to use the authorization code grant. - Several working group documents got discussed and advanced without any problems. These include PoP key distribution, resource indicators, OAuth MTLS, Distributed OAuth, Reciprocal OAuth - We saw proposals for new work: Torsten presented a proposal for 'JWT Secured Authorization Response Mode' and promised to submit a draft to the group. Aaron proposed a new draft describing recommendations for 'OAuth 2.0 for Browser-Based Apps' (draft-parecki-oauth-browser-based-apps-00). Omer presented the 'Seamless OAuth 2.0 Client Assertion Grant' draft (draft-hevroni-oauth-seamless-flow-00) and he is looking for review comments. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [saag] OAuth IETF 103 Summary Hannes Tschofenig