* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Oauth Status Pages

Web Authorization Protocol (Active WG)
Sec Area: Eric Rescorla, Kathleen Moriarty | 2009-May-13 —  
Chairs
 
 


IETF-100 oauth minutes

Session 2017-11-14 1550-1750: Sophia - Audio stream - oauth chatroom
Session 2017-11-15 1520-1650: Orchard - Audio stream - oauth chatroom

Minutes

minutes-100-oauth-00 minutes



          Web Authorization Protocol (OAuth)
          ==================================
          
          Tuesday’s Agenda
          ----------------
          
          ** Chairs Update – 10 min
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-chairs-update/
          
          
          NEW: OAuth Security Workshop 2018
          
          ** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-token-binding/
          
          
          Leif: should be possible to constrain the issuer of certs in pki mode
          Brian: implementers feedback - not easy to implement due to the data
          exposed by the TLS layer
          Leif: at least add security consideration around potential security
          considerations
          Torsten: we have some text regarding this attack in section 6.2 -
          pls. give it a read
          Justin: can only be used with grant types utilizing token endpoint,
          so what about implicit?
          John: we don’t believe provisioning of certs into user browsers is
          desirable, token binding is the better solution
          Justin: reasonable argument - please add text to the spec clearing
          cutting this off
          Brian: only open comment right now about metadata for mtls bound access
          tokens
          Hannes: What is the difference between this spec and token binding
          (in particular given support for self-signed certificates)?
          John/Torsten: self-signed certs are a lightweight replacement for client
          authentication
          Dick: you should consider large cloud providers terminate TLS at the
          load balancers, won’t potentially work there
          Justin: banks today use TLS and mutual TLS, so from their perspective,
          this draft adds OAuth for TLS.
          Hannes: Please add text about the difference into the document to make
          it clear for the reader.
          WGLC will be issued in december after clarification.
          
          Reviewers: Justin and Leif
          
          ** OAuth 2.0 Token Binding (30 min, Brian Campbell)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-mutual-tls-profile-for-oauth-20/
          
          
          Reviewer: Mike
          
          ** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-authorization-server-discovery-metadata/
          
          
          Mike to update the draft.
          
          ** JSON Web Token Best Current Practices  – (15 min, Mike Jones)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-json-web-token-best-current-practices/
          
          
          Brian to search for old comment regarding content type.
          Chairs to ask for more reviewers on SAAG list.
          
          Reviewer: Phil
          
          ** OAuth 2.0 Device Flow – (15 min, John Bradley)
          
          Nat to compare his review comments with the proposed resolution. Ready
          for another WGLC.
          
          Reviewer: Torsten
          
          ** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)
          
          Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
          John: direct TLS connection to token endpoint, individual attestations
          already signed
          wendy Privacy considerations?
          John: need to discuss
          dave: What prevents one app from stealing an attestation from another
          app?
          John: depends on the API, e.g. on Android it is Safety Net, draft depends
          on token binding for replay prevention
          No one seemed to have read the document
          Tony: relationship to token binding attestation?
          John: other level (TLS instead of App)
          Lucy: reliability of data? How is the AS supposed to enforce a policy?
          John: low level functions create attestation, the app just bundles this
          pieces and passes them onto the AS
          Hannes: need to understand the architecture
          Torsten: need to document architecture and trust model
          John: there is some implementation experience, we need to get the vendor
          talk about it
          dave: what is the signature? What key material?
          
          5 persons are interested in this topic but nobody read the draft. Requires
          expertise from the hardware community.
          
          Wednesday’s Agenda
          ------------------
          
          ** OAuth Security Topics – (30 min, Torsten Lodderstedt)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-security-topics/
          
          
          Concerns over the document lifecycle. Solutions, such as the audience,
          may need to be put into separate document.
          bcp can be updated if newer threats or mitigations come in
          
          A consensus call on the recommendations in document needs to be done on
          the list
          
          Reviewers: Nat, Dick, Brian
          
          ** Mutual OAuth – (20 min, Dick Hardt)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-mutual-oauth/
          
          
          Questions and concern over consent. Presentation did not capture the
          consent parts.
          Potential overlap with other work, such as token exchange.
          
          Poll: 14 persons were in favor of working on this topic / 0 against
          
          ** Distributed OAuth – (20 min, Dick Hardt)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-distributed-oauth/
          
          
          Overlap with prior work has been noted (e.g. UMA 2.0)
          
          There is general WG interest in the topic.
          
          ** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials –
          (10 min, Marco Tiloca)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-raw-public-key-and-preshared-key-as-oauth-client-credentials/
          
          
          Justin: should we merge this with the mutual tls draft , resounding no
          from most of room
          
          ** Public Identity Infrastructure for the Internet – (10 min, Vittorio
          Bertola)
          https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-a-public-identity-infrastructure-for-the-internet/
          
          
          Justin -  Wanted to know why this would stop fragmentation or will help
          to unify? There have been other adoption issues like web finger.
          Nat - already looked at a dns based solution and was not practical
          Leif- overlap in openid federation: how does the trust mechanism
          scale? DNS is a poor infrastructure to build upon
          
          



Generated from PyHt script /wg/oauth/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -