[saag] IETF#100 OAuth WG Meeting Report
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 16 November 2017 05:21 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E631201F2 for <saag@ietfa.amsl.com>; Wed, 15 Nov 2017 21:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXWnjqOwKlIV for <saag@ietfa.amsl.com>; Wed, 15 Nov 2017 21:21:01 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1C8B127076 for <saag@ietf.org>; Wed, 15 Nov 2017 21:21:00 -0800 (PST)
Received: from [192.168.91.208] ([31.133.155.188]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LlVZv-1enikH081f-00bIpC for <saag@ietf.org>; Thu, 16 Nov 2017 06:20:58 +0100
To: saag <saag@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <8c760065-1aac-15a7-92c0-f3e01465d85c@gmx.net>
Date: Thu, 16 Nov 2017 06:20:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:ziMf473OzwJSEDbRcoKhBeBWQ14zLK/kxd4DT025FCB1svdbvmX hB4f9L3MHycGQwIZ20rqxwCQYATzwRnsBZ0QnAPQ1JqjjULkuBfU9mt3pxcoRjnMbu2HE3C VCWceDKl0PWFvG71ixIVxjPLEnQx77zjt7jZAoA/eG28p3g7/4ucrB6o7F+3VeqUmS0VOaW n71C48PBQoZCTzG9w2eSg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:FIaKWtVHdqE=:14R5ouFYvj9aAzVuIo1vZN fTDeD4NvQUuLTyyP+hi4WtBrpjJjaZ9zIn3iKxrF0D6Z0gQrS7PB9sfJm0TOPiwzl97W3R91t QfuQPmbnLgRLRlffZhFtGlS7kYfh3CQ6LF9yTlhSIA9AH7wYWEpeUcbGq7J00PJ2HypHoQPtu ZId1pQSN6S/c8xgGSJRzlWOBBp3XeBltKqOAkgcNsp5XRkFBnwr+f6BVNQObLFQofjDW3qPWv P8hBJW/VBfBglMVUU60ECx/HrLLf4dhpyTgdEFmrMkBBmiZZXbfU52SFYkYWE3nfrn1WOKrXt YqovwWxJnLqW9szXYVlKtUo0gtPOCqG7z3HspplRKfA6D/RP8MvRrsHvAk6DHJHVMWWcowZb1 XwuaiUZgdG025BtEt+qfBYhXcJhdCLlHhRBcbXnObq2U7bfPf1oTObrSsWiMj5H5/VJQDuUkw tgHDtUZVkGiax/Ge8OfZdXIk3Pibu13os+ILnIPFpCH9AItBSar+8ACevM1714tggcKLUt1VG hfXrsTNavQDf5szKuemzAPYLDEQq7txP/n7paKnQuOIZ/EfOjqTjCNgeUpkeYZdbRVnxhvbF5 rF2XUhhTogCzvTezWlOcq1PvHZsBPIOf755OIm2iqDt6XD/mhMTQuLhYKbLcTwTZbbY10vy+G cYoitAjvBcbuXYjKSf+slXVv3LtLhd4MccW64WhI8PBjUo3F1e5jDff71BnpFieIx2kkLuJOG y50L1CpaackMII5dscAjqiYouiYBwtISx0sRt21lucHcqc1UuI+nBceRlG/yjg6wLd+GV8wv5 iBGPnP/kZLniHeEO6BwQG0n3OdSfgeYJYyot44tZy3p1zEugsE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/rLWR8TontwRTVjQetuMNRJKjwQU>
Subject: [saag] IETF#100 OAuth WG Meeting Report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 05:21:03 -0000
The OAuth working group met twice this week. The key points of the meetings were: * We have a document (see draft-ietf-oauth-security-topics-03) that offers recommendations on OAuth security topics and we are seeking input on these recommendations. * We are finalizing the OAuth Device Flow work, which is used by devices that have limited UI capabilities. Another WGLC will follow soon. * We are looking for crypto experience on the JWT BCP, see draft-ietf-oauth-jwt-bcp-00. * For the OAuth 2.0 Token Binding we are looking for implementation experience. * Several new items were proposed: - a way for a user to pair protected resources that would like to request access to each other in draft-hardt-oauth-mutual-00 - a way for the OAuth client to discovery what authorization server to use with a given resource server in draft-hardt-distributed-oauth - A solution for conveying attestation information to an authorization server in draft-wdenniss-oauth-device-posture - The use of PSK and RPK-based proof-of-possession tokens in draft-erdtman-ace-rpcc - The use of the DNS for identity management in draft-bertola-dns-openid-pidi-architecture-00 The group expressed interest to work on the first two items. Further discussion and experimentation on the other ideas is needed.
- [saag] IETF#100 OAuth WG Meeting Report Hannes Tschofenig