[secdir] ** OAuth Tutorial & OAuth Security Session **

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 07 November 2010 02:29 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id E3F9E28C0D9 for <secdir@core3.amsl.com>; Sat, 6 Nov 2010 19:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id DZH6ijdGxFLM for <secdir@core3.amsl.com>; Sat, 6 Nov 2010 19:29:06 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net []) by core3.amsl.com (Postfix) with SMTP id 543243A697C for <secdir@ietf.org>; Sat, 6 Nov 2010 19:29:06 -0700 (PDT)
Received: (qmail invoked by alias); 07 Nov 2010 02:22:41 -0000
Received: from dhcp-7730.meeting.ietf.org (EHLO dhcp-7730.meeting.ietf.org) [] by mail.gmx.net (mp054) with SMTP; 07 Nov 2010 03:22:41 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19n/CxaxKRnPOLWqdig6r/No3Jvg6FTHRPuMNzUOR hWWFzgaMPScol0
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 06 Nov 2010 21:22:33 -0500
Message-Id: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net>
To: ietf@ietf.org
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
X-Y-GMX-Trusted: 0
Cc: abfab@ietf.org, rai@ietf.org, secdir@ietf.org, websec@ietf.org, xmpp@ietf.org, kitten@ietf.org, "iab@iab.org Board" <iab@iab.org>, iesg@ietf.org, oauth@ietf.org
Subject: [secdir] ** OAuth Tutorial & OAuth Security Session **
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Nov 2010 02:29:07 -0000

Hi all, 

please consider attending the following two meetings! 

** OAuth Security Session **

	• Date: Monday, 13:00-15:00
	• Location: IAB breakout room (Jade 2)
	• Contact: Hannes Tschofenig hannes.tschofenig@gmx.net
The security consideration section of OAuth 2.0 (draft -10) is still empty. Hence, we would like to put some time aside to discuss what security threats, requirements, and countermeasures need to be described. We will use the Monday, November 8, 1300-1500 slot to have a  discussion session.

As a starting point I suggest to look at the following documents:

	• http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderationshttp://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhyhttp://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.txt

Note: If you are unfamiliar with OAuth then the OAuth tutorial session might be more suitable for you!

** OAuth Tutorial **

	• Date: Wednesday, 19:30 (after the plenary)
	• Location: IAB breakout room (Jade 2)
	• Contact: Hannes Tschofenig hannes.tschofenig@gmx.net
OAuth allows a user to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. The OAuth working group, see http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to finalize their main specification, namely OAuth v2: http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/

Based on the positive response at the last IETF meeting (in Maastricht) we decided to hold another OAuth tutorial, namely on *Wednesday, starting at 19:30 (after the IETF Operations and Administration Plenary) till about 21:00. (Note: I had to switch the day because of the social event!)

It is helpful to read through the documents available int he working group but not required.

Up-to-date information can be found here: http://www.ietf.org/registration/MeetingWiki/wiki/79bofs