[saag] OAuth Summary
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 26 March 2015 17:27 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98CC1A8754 for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 10:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDd9H6_FnWPI for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 10:27:40 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AA7C1A6EF0 for <saag@ietf.org>; Thu, 26 Mar 2015 10:27:39 -0700 (PDT)
Received: from [192.168.10.151] ([31.133.152.120]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MAloF-1Yn3PG1EfD-00Bvo5 for <saag@ietf.org>; Thu, 26 Mar 2015 18:27:38 +0100
Message-ID: <55144186.6040600@gmx.net>
Date: Thu, 26 Mar 2015 18:27:34 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: saag <saag@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="mgErdc7b9UgCoHM08PBolt4A34d6WKWlM"
X-Provags-ID: V03:K0:AwBQ5wcO0R70t+DAT8HnM/VCRKVy4e7ehEXfu+rm3EsqJDGEvwW oN/Pc4fkPDy3+QaNVatIgHmw+fd96f3Dh8UZ/YFytTLBd8vmAAS9fSIS7KgLB8xqarNNcH9 BV/h1KeelRUxl/MpFFfw+lM5fy349j/4O8xCf9zKF4PnxbLc5EfF/f4KiyClb3noZ13WWXA fDOQEdfRSY/epcWgBo7lw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/diD4ka6VB0ePBf_wDFU0iv6JneU>
Subject: [saag] OAuth Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 17:27:42 -0000
We started the OAuth meeting with a discussion about the current status. The group is making good progress. * Four documents are currently in the RFC Editor Queue, namely the OAuth assertion framework, JWT Bearer Assertions, SAML Bearer Assertions and the JSON Web Token (JWT). * Two documents are currently in IETF processing, namely the Dynamic Client Registration and the Dynamic Client Registration Management protocols. * Three other documents are about to be sent to the IESG any day now, namely token introspection, the proof-of-possession architecture and the Proof Key for Code Exchange. The main part of the meeting was spent on the discussion of the proof-of-possession solution components, namely draft-ietf- oauth-signed-http-request, draft-ietf-oauth-pop-key- distribution, and draft-ietf-oauth-proof-of-possession. A design question regarding the support of proof-of-possession support for refresh tokens was raised during the meeting and further analysis is needed to resolve the issue. Two new documents have been presented to the audience, namely * JWT Destination Claim: draft-campbell-oauth-dst4jwt, and * Open Redirector: draft-bradley-oauth-open-redirector The security problems (based on actual attacks) described in the Open Redirector document raised the question about the best way to offer security guidance in the OAuth WG. A few participants from the working group met Wednesday evening to discuss next steps regarding the token exchange specification.
- [saag] OAuth Summary Hannes Tschofenig