* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Oauth Status Pages

Web Authorization Protocol (Active WG)
Sec Area: Eric Rescorla, Kathleen Moriarty | 2009-May-13 —  

IETF-100 oauth minutes

Session 2017-11-14 1550-1750: Sophia - Audio stream - oauth chatroom
Session 2017-11-15 1520-1650: Orchard - Audio stream - oauth chatroom


minutes-100-oauth-00 minutes

          Web Authorization Protocol (OAuth)
          Tuesday’s Agenda
          ** Chairs Update – 10 min
          NEW: OAuth Security Workshop 2018
          ** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
          Leif: should be possible to constrain the issuer of certs in pki mode
          Brian: implementers feedback - not easy to implement due to the data
          exposed by the TLS layer
          Leif: at least add security consideration around potential security
          Torsten: we have some text regarding this attack in section 6.2 -
          pls. give it a read
          Justin: can only be used with grant types utilizing token endpoint,
          so what about implicit?
          John: we don’t believe provisioning of certs into user browsers is
          desirable, token binding is the better solution
          Justin: reasonable argument - please add text to the spec clearing
          cutting this off
          Brian: only open comment right now about metadata for mtls bound access
          Hannes: What is the difference between this spec and token binding
          (in particular given support for self-signed certificates)?
          John/Torsten: self-signed certs are a lightweight replacement for client
          Dick: you should consider large cloud providers terminate TLS at the
          load balancers, won’t potentially work there
          Justin: banks today use TLS and mutual TLS, so from their perspective,
          this draft adds OAuth for TLS.
          Hannes: Please add text about the difference into the document to make
          it clear for the reader.
          WGLC will be issued in december after clarification.
          Reviewers: Justin and Leif
          ** OAuth 2.0 Token Binding (30 min, Brian Campbell)
          Reviewer: Mike
          ** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
          Mike to update the draft.
          ** JSON Web Token Best Current Practices  – (15 min, Mike Jones)
          Brian to search for old comment regarding content type.
          Chairs to ask for more reviewers on SAAG list.
          Reviewer: Phil
          ** OAuth 2.0 Device Flow – (15 min, John Bradley)
          Nat to compare his review comments with the proposed resolution. Ready
          for another WGLC.
          Reviewer: Torsten
          ** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)
          Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
          John: direct TLS connection to token endpoint, individual attestations
          already signed
          wendy Privacy considerations?
          John: need to discuss
          dave: What prevents one app from stealing an attestation from another
          John: depends on the API, e.g. on Android it is Safety Net, draft depends
          on token binding for replay prevention
          No one seemed to have read the document
          Tony: relationship to token binding attestation?
          John: other level (TLS instead of App)
          Lucy: reliability of data? How is the AS supposed to enforce a policy?
          John: low level functions create attestation, the app just bundles this
          pieces and passes them onto the AS
          Hannes: need to understand the architecture
          Torsten: need to document architecture and trust model
          John: there is some implementation experience, we need to get the vendor
          talk about it
          dave: what is the signature? What key material?
          5 persons are interested in this topic but nobody read the draft. Requires
          expertise from the hardware community.
          Wednesday’s Agenda
          ** OAuth Security Topics – (30 min, Torsten Lodderstedt)
          Concerns over the document lifecycle. Solutions, such as the audience,
          may need to be put into separate document.
          bcp can be updated if newer threats or mitigations come in
          A consensus call on the recommendations in document needs to be done on
          the list
          Reviewers: Nat, Dick, Brian
          ** Mutual OAuth – (20 min, Dick Hardt)
          Questions and concern over consent. Presentation did not capture the
          consent parts.
          Potential overlap with other work, such as token exchange.
          Poll: 14 persons were in favor of working on this topic / 0 against
          ** Distributed OAuth – (20 min, Dick Hardt)
          Overlap with prior work has been noted (e.g. UMA 2.0)
          There is general WG interest in the topic.
          ** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials –
          (10 min, Marco Tiloca)
          Justin: should we merge this with the mutual tls draft , resounding no
          from most of room
          ** Public Identity Infrastructure for the Internet – (10 min, Vittorio
          Justin -  Wanted to know why this would stop fragmentation or will help
          to unify? There have been other adoption issues like web finger.
          Nat - already looked at a dns based solution and was not practical
          Leif- overlap in openid federation: how does the trust mechanism
          scale? DNS is a poor infrastructure to build upon

Generated from PyHt script /wg/oauth/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -