Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 07 November 2010 23:04 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A981F28C11F; Sun, 7 Nov 2010 15:04:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwtw++ocQDAp; Sun, 7 Nov 2010 15:04:06 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) by core3.amsl.com (Postfix) with ESMTP id 89E1A3A6919; Sun, 7 Nov 2010 15:04:06 -0800 (PST)
Received: from [79.253.37.94] (helo=[192.168.71.43]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1PFEHg-0007pK-9T; Mon, 08 Nov 2010 00:04:24 +0100
Message-ID: <4CD73075.8050408@lodderstedt.net>
Date: Mon, 08 Nov 2010 00:04:21 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net>
In-Reply-To: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: torsten@lodderstedt-online.de
X-Mailman-Approved-At: Sun, 07 Nov 2010 15:51:03 -0800
Cc: abfab@ietf.org, rai@ietf.org, ietf@ietf.org, secdir@ietf.org, websec@ietf.org, xmpp@ietf.org, kitten@ietf.org, "iab@iab.org Board" <iab@iab.org>, iesg@ietf.org, Mark Mcgloin <mark.mcgloin@ie.ibm.com>, oauth@ietf.org
Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Nov 2010 23:04:07 -0000
Hi all, Mark McGloin and me have been working on OAuth 2.0 security considerations for a couple of weeks now. Since we both cannot attend the IETF-79 meetings, we would like to provide the WG with information regarding the current status of our work. I therefore uploaded a _preliminary_ version of our working document to the WG's wiki at http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf. The focus of this version was on consolidating previous work as well as results of mailing list discussions and start working towards a rigorous threat model. Please give us feedback. regards, Torsten. Am 07.11.2010 03:22, schrieb Hannes Tschofenig: > Hi all, > > please consider attending the following two meetings! > > ** OAuth Security Session ** > > • Date: Monday, 13:00-15:00 > • Location: IAB breakout room (Jade 2) > • Contact: Hannes Tschofenig hannes.tschofenig@gmx.net > The security consideration section of OAuth 2.0 (draft -10) is still empty. Hence, we would like to put some time aside to discuss what security threats, requirements, and countermeasures need to be described. We will use the Monday, November 8, 1300-1500 slot to have a discussion session. > > As a starting point I suggest to look at the following documents: > > • http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations > • http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy > • http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.txt > > Note: If you are unfamiliar with OAuth then the OAuth tutorial session might be more suitable for you! > > > > ** OAuth Tutorial ** > > • Date: Wednesday, 19:30 (after the plenary) > • Location: IAB breakout room (Jade 2) > • Contact: Hannes Tschofenig hannes.tschofenig@gmx.net > OAuth allows a user to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. The OAuth working group, see http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to finalize their main specification, namely OAuth v2: http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/ > > Based on the positive response at the last IETF meeting (in Maastricht) we decided to hold another OAuth tutorial, namely on *Wednesday, starting at 19:30 (after the IETF Operations and Administration Plenary) till about 21:00. (Note: I had to switch the day because of the social event!) > > It is helpful to read through the documents available int he working group but not required. > > Up-to-date information can be found here: http://www.ietf.org/registration/MeetingWiki/wiki/79bofs > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [secdir] ** OAuth Tutorial & OAuth Security Sessi… Hannes Tschofenig
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Torsten Lodderstedt
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Anthony Nadalin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… torsten
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Richard L. Barnes
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Mark Mcgloin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Anthony Nadalin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Richard L. Barnes
- Re: [secdir] [kitten] [OAUTH-WG] ** OAuth Tutoria… Nicolas Williams
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Igor Faynberg