The scope of this draft is unclear. The title states: "OAuth Security
Topics".**
I have some questions:
* Does this document intend to cover only the OAuth 2.0 delegation
protocol (since Justin said that OAuth 2.0 is a delegation protocol)
or OpenId Connect as well which is not limited to a delegation
protocol ?
* Should we discuss OpenID Connect issues and/or solutions in an IETF
RFC ?
If this document is going to be progressed, the threats should be
clearly separated whether they relate to a delegation model or to
a client-server access control model. This is not currently the case.
If this document is going to be progressed, the ABC attack (in the
context of an access control model) should be mentioned even if there exits
no way to counter it given the current implicit assumptions made in
OAuth 2.0, in particular the use of software only implementations.
Denis
A belated +1
On Sat, Feb 4, 2017, 9:08 AM Jim Manico <[email protected]
<mailto:[email protected]>> wrote:
I'm just some random idiot am an not in this working group but the
work from
https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
is one of the most up to date and useful OAuth security resources
every published. I am thrilled to see more work put into it.
Aloha, Jim
On 2/3/17 1:57 PM, William Denniss wrote:
I support the adoption of this document as a working group item.
On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <[email protected]
<mailto:[email protected]>> wrote:
+!
I agree this is needed.
--
-jim
Jim Willeke
On Thu, Feb 2, 2017 at 4:33 PM, John Bradley
<[email protected] <mailto:[email protected]>> wrote:
I am in favour of adoption.
> On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig
<[email protected]
<mailto:[email protected]>> wrote:
>
> Hi all,
>
> this is the call for adoption of the 'OAuth Security
Topics' document
> following the positive call for adoption at the last IETF
> meeting in Seoul.
>
> Here is the document:
>
https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>
> The intention with this document is to have a place to
collect
> discussions and conclusions around OAuth 2.0 security
and to reference
> the actual solution specifications.
>
> Please let us know by Feb 16th whether you accept /
object to the
> adoption of this document as a starting point for work
in the OAuth
> working group.
>
> Ciao
> Hannes & Derek
>
> _______________________________________________
> OAuth mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
--
Jim Manico
Manicode Security
https://www.manicode.com
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
--
Nat Sakimura
Chairman of the Board, OpenID Foundation
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
