Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98

2017-03-17 Thread Brian Campbell 
Thanks Mike, 30 minutes sounds about right for OAuth Token Binding

On Mar 17, 2017 6:54 PM, "Mike Jones"  wrote:

> Hi Chairs,
>
> I'd like to request that the following presentations be added to the
> agenda:
>
> OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike
> Jones - 15 minutes
> OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) -
> Mike Jones - 15 minutes
>
> I'd also talked with Brian Campbell and I think he wants to lead this
> discussion, in part based on his implementation experience:
>
> OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian
> Campbell - 30 minutes
>
> (Brian may suggest a different amount of time)
>
> I agree that William Dennis should present about the OAuth Device Flow
> (draft-ietf-oauth-device-flow).
>
> For completeness, I don't think a presentation is needed about OAuth AMR
> Values (draft-ietf-oauth-amr-values) because it's now completed its IESG
> review.
>
> I'll look forward to seeing many of you in just over a week!
>
> -- Mike
>
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of "IETF
> Secretariat"
> Sent: Friday, March 3, 2017 3:55 PM
> To: oauth-cha...@ietf.org; smccam...@amsl.com
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for
> IETF 98
>
> Dear Stephanie McCammon,
>
> The session(s) that you have requested have been scheduled.
> Below is the scheduled session information followed by the original
> request.
>
> oauth Session 1 (2:30:00)
> Friday, Morning Session I 0900-1130
> Room Name: Zurich C size: 100
> -
> oauth Session 2 (1:00:00)
> Monday, Afternoon Session III 1710-1810
> Room Name: Zurich C size: 100
> -
>
>
>
> Request Information:
>
>
> -
> Working Group Name: Web Authorization Protocol Area Name: Security Area
> Session Requester: Stephanie McCammon
>
> Number of Sessions: 2
> Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts
> to Avoid:
>  First Priority: saag core tls tokbind
>
>
>
>
> People who must be present:
>   Hannes Tschofenig
>   Kathleen Moriarty
>   Derek Atkins
>
> Resources Requested:
>   Projector in room
>
> Special Requests:
>   Please avoid conflict with sec area BoFs.
> -
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98

2017-03-17 Thread Mike Jones 
Hi Chairs,

I'd like to request that the following presentations be added to the agenda:

OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 
15 minutes
OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike 
Jones - 15 minutes

I'd also talked with Brian Campbell and I think he wants to lead this 
discussion, in part based on his implementation experience:

OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 
30 minutes

(Brian may suggest a different amount of time)

I agree that William Dennis should present about the OAuth Device Flow 
(draft-ietf-oauth-device-flow).

For completeness, I don't think a presentation is needed about OAuth AMR Values 
(draft-ietf-oauth-amr-values) because it's now completed its IESG review.

I'll look forward to seeing many of you in just over a week!

-- Mike

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of "IETF Secretariat"
Sent: Friday, March 3, 2017 3:55 PM
To: oauth-cha...@ietf.org; smccam...@amsl.com
Cc: oauth@ietf.org
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98

Dear Stephanie McCammon,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by the original request. 

oauth Session 1 (2:30:00)
Friday, Morning Session I 0900-1130
Room Name: Zurich C size: 100
-
oauth Session 2 (1:00:00)
Monday, Afternoon Session III 1710-1810
Room Name: Zurich C size: 100
-



Request Information:


-
Working Group Name: Web Authorization Protocol Area Name: Security Area Session 
Requester: Stephanie McCammon

Number of Sessions: 2
Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts to 
Avoid: 
 First Priority: saag core tls tokbind




People who must be present:
  Hannes Tschofenig
  Kathleen Moriarty
  Derek Atkins

Resources Requested:
  Projector in room

Special Requests:
  Please avoid conflict with sec area BoFs.
-

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread Jim Manico 
Brian (and John),

Thank you both for the references. Perfect.

Aloha, Jim


On 3/17/17 12:10 PM, Brian Campbell wrote:
> Dirk gave this preso nearly 2 years ago
> https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015
> 
> which is out of date but has the main concepts, I think. There's also
> this http://www.browserauth.net/token-binding
>  page by him.
>
> I'm planing on a doing a presentation on Token Binding at CIS
>  this summer. But that's not
> until June and none of the content exists yet.
>
> Otherwise the draft specs are probably the best bet at this point. And
> they are all still in draft, though some are more stable than others,
> they may still change.
>
> Token Binding:
> https://tools.ietf.org/html/draft-ietf-tokbind-https-08
> https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
> https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07
>
> Application in OAuth:
> https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02
>
> Application in OpenID Connect:
> http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
>
>
>
>
> On Fri, Mar 17, 2017 at 9:09 AM, Jim Manico  > wrote:
>
> Hello OAuthers,
>
> I'm trying to get my head around token binding beyond the RFC. Are
> there any presentations or other media on token binding that any
> of you are aware of? My google-fu is coming up empty.
>
> Thanks and Aloha,
> - Jim
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth
> 
>
>

-- 
Jim Manico
Manicode Security
https://www.manicode.com

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread Brian Campbell 
Dirk gave this preso nearly 2 years ago https://www.slideshare.net/
CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015 which is
out of date but has the main concepts, I think. There's also this
http://www.browserauth.net/token-binding page by him.

I'm planing on a doing a presentation on Token Binding at CIS
 this summer. But that's not until
June and none of the content exists yet.

Otherwise the draft specs are probably the best bet at this point. And they
are all still in draft, though some are more stable than others, they may
still change.

Token Binding:
https://tools.ietf.org/html/draft-ietf-tokbind-https-08
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07

Application in OAuth:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02

Application in OpenID Connect:
http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html




On Fri, Mar 17, 2017 at 9:09 AM, Jim Manico  wrote:

> Hello OAuthers,
>
> I'm trying to get my head around token binding beyond the RFC. Are there
> any presentations or other media on token binding that any of you are aware
> of? My google-fu is coming up empty.
>
> Thanks and Aloha,
> - Jim
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread John Bradley 
Yes I was referring to support for token binding at the TLS level in Edge & IE 
and perhaps other HTTP API support. for token binding negotiation on TLS 
connections.  

Not support for things built on top of token binding.   

IIS being updated to token bind cookies is another matter that I haven't seen 
any timing on.

Chrome on most if not all platforms and Edge on RS2 i believe should all 
support servers token binding cookies in the 3 to 6 month timeframe to be 
conservative.

I know Google has already turned on token binding negotiation for some web 
parts of Google.

John B.




> On Mar 17, 2017, at 2:59 PM, Anthony Nadalin  wrote:
> 
> I’m unaware of any support for “OAuth” Token Binding from Microsoft, so I 
> assume you are talking just about Token Binding cookies
>   <>
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
> Sent: Friday, March 17, 2017 10:43 AM
> To: Jim Manico 
> Cc: IETF OAUTH 
> Subject: Re: [OAUTH-WG] Token Binding Presentations?
>  
> This has some of the basic info, but needs some updating.   
> http://www.browserauth.net/ 
>  
> Other than that there are the specs in the Token binding WG and the one we 
> just updated for OAuth.
>  
> With Microsoft supporting it in RS2 coming out in a month or so I would hope 
> to see some developer documentation from them soon.
>  
> John B.
>  
> On Mar 17, 2017, at 12:09 PM, Jim Manico  > wrote:
>  
> Hello OAuthers,
> 
> I'm trying to get my head around token binding beyond the RFC. Are there any 
> presentations or other media on token binding that any of you are aware of? 
> My google-fu is coming up empty.
> 
> Thanks and Aloha,
> - Jim
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 


smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread Anthony Nadalin 
I'm unaware of any support for "OAuth" Token Binding from Microsoft, so I 
assume you are talking just about Token Binding cookies

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
Sent: Friday, March 17, 2017 10:43 AM
To: Jim Manico 
Cc: IETF OAUTH 
Subject: Re: [OAUTH-WG] Token Binding Presentations?

This has some of the basic info, but needs some updating.   
http://www.browserauth.net/

Other than that there are the specs in the Token binding WG and the one we just 
updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would hope to 
see some developer documentation from them soon.

John B.

On Mar 17, 2017, at 12:09 PM, Jim Manico 
mailto:j...@manicode.com>> wrote:

Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there any 
presentations or other media on token binding that any of you are aware of? My 
google-fu is coming up empty.

Thanks and Aloha,
- Jim
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread John Bradley 
This has some of the basic info, but needs some updating.   
http://www.browserauth.net/ 

Other than that there are the specs in the Token binding WG and the one we just 
updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would hope to 
see some developer documentation from them soon.

John B.

> On Mar 17, 2017, at 12:09 PM, Jim Manico  wrote:
> 
> Hello OAuthers,
> 
> I'm trying to get my head around token binding beyond the RFC. Are there any 
> presentations or other media on token binding that any of you are aware of? 
> My google-fu is coming up empty.
> 
> Thanks and Aloha,
> - Jim
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Token Binding Presentations?

2017-03-17 Thread Jim Manico 
Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there any 
presentations or other media on token binding that any of you are aware of? My 
google-fu is coming up empty.

Thanks and Aloha,
- Jim
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth