Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Phil Hunt (IDM)]

+1 for adoption 

Phil

> On Apr 20, 2017, at 10:40 AM, John Bradley  wrote:
> 
> I accept the adoption as a starting point.
> 
> John B.
> 
>> On Apr 20, 2017, at 1:32 PM, Hannes Tschofenig  
>> wrote:
>> 
>> Hi all,
>> 
>> based on the strong support for this document at the Chicago IETF
>> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
>> for OAuth Clients" document, see
>> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>> 
>> Please let us know by May 4th whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>> 
>> Ciao
>> Hannes & Rifaat
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Manger, James]

I support adoption of draft-campbell-oauth-mtls.

Now some comments on the doc:

1. [§2.3] The syntax of tls_client_auth_subject_dn is not specified. Perhaps 
LDAP's "String Representation of Distinguished Names" [RFC4514]? Perhaps a 
base64url-encoding of a DER-encoded DN?
It would actually be better to allow any subjectAltName to be specified, 
instead of a DN.

2. [§2.3] Change the name of tls_client_auth_issuer_dn (maybe 
tls_client_auth_root_dn). Given tls_client_auth_client_dn, it will be too easy 
to assume this pair refer to the issuer and subject fields of the cert.
PKI chains can be complex so the expected root might not be such a stable 
concept. For example, the Let's Encrypt CA chains to an ISRG Root and an 
IdenTrust DST Root [https://letsencrypt.org/certificates/].

3. [§2.3] If a client dynamically registers a "jwks_uri" does this mean the 
authz server MUST automatically cope when the client updates the key(s) it 
publishes there?

4. [§3] An access token is bound to a specific client certificate. That is 
probably ok, but does mean all access tokens die when the client updates their 
certificate (which could be every 2 months if using Let's Encrypt). This at 
least warrants a paragraph in the Security Considerations.

5. [§3.1] "exp" and "nbf" values in the example need to be numbers, not strings 
(drop the quotes).

6. An access token linked to a client TLS cert isn't a bearer token. The spec 
should really define a new token_type for responses from the token endpoint. 
That might not necessarily mean we needs a new HTTP authentication scheme as 
well (it might just hint that "Bearer" wasn't quite the right name).

--
James Manger
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)

[Jim Manico]

I'd love to attend.

1) Can you handle remote participants?
2) Any chance you want to move this to Hawaii? I can host the work space. 
Seriously.

Aloha,
--
Jim Manico
@Manicode

> On Apr 20, 2017, at 7:42 PM, Torsten Lodderstedt  
> wrote:
> 
> Hi all,
> 
> I'm pleased to announce the hosts managed to change the date of the security 
> workshop to the end of the week before IETF-99, July 13-14. 
> 
> Please find the updated CfP below.
> 
> kind regards,
> Torsten.
> 
> ===
> 
> C a l l F o r P a p e r s
> 
> Second OAuth Security Workshop (OSW 2017)
> 
> Zurich, Switzerland -- July 13-14, 2017 (note the changed event date)
> 
> WWW: https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/
> 
> Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
> 
> ===
> 
> Overview
> 
> The OAuth Security Workshop (OSW) focuses on improving security of the
> OAuth standard and related Internet protocols. This workshop brings
> together the IETF OAuth Working Group and security experts from
> research, industry, and standardization to this end. The workshop is
> hosted by the Zurich Information Security and Privacy Center at ETH Zurich.
> 
> While the standardization process of OAuth ensures extensive reviews
> (both security and non-security related), further analysis by security
> experts from academia and industry is essential to ensure high quality
> specifications. Contributions to this workshop can help to improve the
> security of the Web and the Internet.
> 
> 
> Scope
> 
> We seek position papers related to the security of OAuth, OpenID
> Connect, and other technologies using OAuth under the hood.
> Contributions regarding technologies that are used in OAuth, such as
> JOSE, or impact the security of OAuth, such as Web technology, are also
> welcome.
> 
> 
> Important Dates
> 
> Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
> Author notification: May 15, 2017.
> Registration deadline: June 16, 2017.
> Workshop: July 13 and July 14, 2017.
> 
> 
> Invited Speakers
> 
> Cas Cremers, University of Oxford
> 
> 
> Submission
> 
> We welcome position papers that describe existing work, raise new
> requirements, highlight challenges, write-ups of implementation and
> deployment experience, lessons-learned from successful or failed
> attempts, and ideas on how to improve OAuth and OAuth extensions.
> 
> Position papers submitted to the OAuth Security Workshop may report on
> (unpublished) work in progress, be submitted to other places, and may
> even have already appeared or been accepted elsewhere.
> 
> Submissions must be in PDF format and should feature reasonable margins
> and formatting. There is no page limit, but the submission should be
> brief (ideally not more than 3-5 pages). Submissions should not be
> anonymized.
> 
> Submission Website: https://easychair.org/conferences/?conf=osw17
> 
> 
> Publication and Presentation
> 
> One of the authors of the accepted position paper is expected to present
> the paper at the workshop.
> 
> All presentations and papers will be put online but there will be no
> formal proceedings. Authors of accepted papers will have the option to
> revise their papers before they are put online.
> 
> 
> IPR Policy
> 
> The workshop will have no expectation of IPR disclosure or licensing
> related to its submissions. Authors are responsible for obtaining
> appropriate publication clearances.
> 
> 
> Program Committee
> 
> Chairs
> David Basin (ETH Zurich)
> Torsten Lodderstedt (YES Europe)
> 
> Members
> John Bradley (Ping Identity)
> Ralf Küsters (University of Stuttgart)
> Chris Mitchell (Royal Holloway University of London)
> Anthony Nadalin (Microsoft)
> Nat Sakimura (Nomura Research Institute)
> Ralf Sasse (ETH Zurich)
> Jörg Schwenk (Ruhr University Bochum)
> Hannes Tschofenig (IETF OAuth Working Group Co-Chair)
> 
>> Am 13.03.2017 um 21:01 schrieb John Bradley :
>> 
>> I did point out earlier when I discovered the dates, that I similarly asked 
>> for it to be later in the week.
>> It is probably fine for Europeans but it will stop many people from being 
>> able to attend including myself unless I can come up with other meetings in 
>> Europe to fill those days.
>> 
>> If we cant move it then we will have to live with it and attend or not.
>> 
>> John B.
>> 
>>> On Mar 13, 2017, at 4:46 PM, Torsten Lodderstedt  
>>> wrote:
>>> 
>>> Hi Mike,
>>> 
>>> yes, those are the right dates. There are restrictions from the host's 
>>> side, that’s why the workshop needs to take place on Monday and Tuesday. As 
>>> far as I remember the host was clear about that from the beginning. 
>>> 
>>> best regards,
>>> Torsten.
>>> 
 Am 12.03.2017 um 22:15 schrieb Mike Jones :
 
 Are Monday-Tuesday, July 10-11 really the right dates?  I'm asking because 
 IETF in Prague doesn't start until Sunday, July 

Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)

[Mike Jones]

Excellent!

From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Thursday, April 20, 2017 10:42 AM
To: oauth@ietf.org
Cc: Mike Jones ; John Bradley 
Subject: Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)

Hi all,

I'm pleased to announce the hosts managed to change the date of the security 
workshop to the end of the week before IETF-99, July 13-14.

Please find the updated CfP below.

kind regards,
Torsten.

===

C a l l F o r P a p e r s

Second OAuth Security Workshop (OSW 2017)

Zurich, Switzerland -- July 13-14, 2017 (note the changed event date)

WWW: https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/

Position paper submission deadline: May 2, 2017 (AoE, UTC-12).

===

Overview

The OAuth Security Workshop (OSW) focuses on improving security of the
OAuth standard and related Internet protocols. This workshop brings
together the IETF OAuth Working Group and security experts from
research, industry, and standardization to this end. The workshop is
hosted by the Zurich Information Security and Privacy Center at ETH Zurich.

While the standardization process of OAuth ensures extensive reviews
(both security and non-security related), further analysis by security
experts from academia and industry is essential to ensure high quality
specifications. Contributions to this workshop can help to improve the
security of the Web and the Internet.


Scope

We seek position papers related to the security of OAuth, OpenID
Connect, and other technologies using OAuth under the hood.
Contributions regarding technologies that are used in OAuth, such as
JOSE, or impact the security of OAuth, such as Web technology, are also
welcome.


Important Dates

Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
Author notification: May 15, 2017.
Registration deadline: June 16, 2017.
Workshop: July 13 and July 14, 2017.


Invited Speakers

Cas Cremers, University of Oxford


Submission

We welcome position papers that describe existing work, raise new
requirements, highlight challenges, write-ups of implementation and
deployment experience, lessons-learned from successful or failed
attempts, and ideas on how to improve OAuth and OAuth extensions.

Position papers submitted to the OAuth Security Workshop may report on
(unpublished) work in progress, be submitted to other places, and may
even have already appeared or been accepted elsewhere.

Submissions must be in PDF format and should feature reasonable margins
and formatting. There is no page limit, but the submission should be
brief (ideally not more than 3-5 pages). Submissions should not be
anonymized.

Submission Website: https://easychair.org/conferences/?conf=osw17


Publication and Presentation

One of the authors of the accepted position paper is expected to present
the paper at the workshop.

All presentations and papers will be put online but there will be no
formal proceedings. Authors of accepted papers will have the option to
revise their papers before they are put online.


IPR Policy

The workshop will have no expectation of IPR disclosure or licensing
related to its submissions. Authors are responsible for obtaining
appropriate publication clearances.


Program Committee

Chairs
David Basin (ETH Zurich)
Torsten Lodderstedt (YES Europe)

Members
John Bradley (Ping Identity)
Ralf Küsters (University of Stuttgart)
Chris Mitchell (Royal Holloway University of London)
Anthony Nadalin (Microsoft)
Nat Sakimura (Nomura Research Institute)
Ralf Sasse (ETH Zurich)
Jörg Schwenk (Ruhr University Bochum)
Hannes Tschofenig (IETF OAuth Working Group Co-Chair)

Am 13.03.2017 um 21:01 schrieb John Bradley 
mailto:ve7...@ve7jtb.com>>:

I did point out earlier when I discovered the dates, that I similarly asked for 
it to be later in the week.
It is probably fine for Europeans but it will stop many people from being able 
to attend including myself unless I can come up with other meetings in Europe 
to fill those days.

If we cant move it then we will have to live with it and attend or not.

John B.


On Mar 13, 2017, at 4:46 PM, Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>> wrote:

Hi Mike,

yes, those are the right dates. There are restrictions from the host's side, 
that’s why the workshop needs to take place on Monday and Tuesday. As far as I 
remember the host was clear about that from the beginning.

best regards,
Torsten.


Am 12.03.2017 um 22:15 schrieb Mike Jones 
mailto:michael.jo...@microsoft.com>>:

Are Monday-Tuesday, July 10-11 really the right dates?  I'm asking because IETF 
in Prague doesn't start until Sunday, July 16th.  That leaves 4 days dead time 
in between for those of us who are attending both.

When I was first told about this workshop, I was told that it would be sometime 
Wednesday-Friday that week.  Can it be moved back to those dates?  That w

Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)

[Torsten Lodderstedt]

Hi all,

I'm pleased to announce the hosts managed to change the date of the security 
workshop to the end of the week before IETF-99, July 13-14. 

Please find the updated CfP below.

kind regards,
Torsten.

===

C a l l F o r P a p e r s

Second OAuth Security Workshop (OSW 2017)

Zurich, Switzerland -- July 13-14, 2017 (note the changed event date)

WWW: https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/ 


Position paper submission deadline: May 2, 2017 (AoE, UTC-12).

===

Overview

The OAuth Security Workshop (OSW) focuses on improving security of the
OAuth standard and related Internet protocols. This workshop brings
together the IETF OAuth Working Group and security experts from
research, industry, and standardization to this end. The workshop is
hosted by the Zurich Information Security and Privacy Center at ETH Zurich.

While the standardization process of OAuth ensures extensive reviews
(both security and non-security related), further analysis by security
experts from academia and industry is essential to ensure high quality
specifications. Contributions to this workshop can help to improve the
security of the Web and the Internet.


Scope

We seek position papers related to the security of OAuth, OpenID
Connect, and other technologies using OAuth under the hood.
Contributions regarding technologies that are used in OAuth, such as
JOSE, or impact the security of OAuth, such as Web technology, are also
welcome.


Important Dates

Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
Author notification: May 15, 2017.
Registration deadline: June 16, 2017.
Workshop: July 13 and July 14, 2017.


Invited Speakers

Cas Cremers, University of Oxford


Submission

We welcome position papers that describe existing work, raise new
requirements, highlight challenges, write-ups of implementation and
deployment experience, lessons-learned from successful or failed
attempts, and ideas on how to improve OAuth and OAuth extensions.

Position papers submitted to the OAuth Security Workshop may report on
(unpublished) work in progress, be submitted to other places, and may
even have already appeared or been accepted elsewhere.

Submissions must be in PDF format and should feature reasonable margins
and formatting. There is no page limit, but the submission should be
brief (ideally not more than 3-5 pages). Submissions should not be
anonymized.

Submission Website: https://easychair.org/conferences/?conf=osw17 



Publication and Presentation

One of the authors of the accepted position paper is expected to present
the paper at the workshop.

All presentations and papers will be put online but there will be no
formal proceedings. Authors of accepted papers will have the option to
revise their papers before they are put online.


IPR Policy

The workshop will have no expectation of IPR disclosure or licensing
related to its submissions. Authors are responsible for obtaining
appropriate publication clearances.


Program Committee

Chairs
David Basin (ETH Zurich)
Torsten Lodderstedt (YES Europe)

Members
John Bradley (Ping Identity)
Ralf Küsters (University of Stuttgart)
Chris Mitchell (Royal Holloway University of London)
Anthony Nadalin (Microsoft)
Nat Sakimura (Nomura Research Institute)
Ralf Sasse (ETH Zurich)
Jörg Schwenk (Ruhr University Bochum)
Hannes Tschofenig (IETF OAuth Working Group Co-Chair)

> Am 13.03.2017 um 21:01 schrieb John Bradley :
> 
> I did point out earlier when I discovered the dates, that I similarly asked 
> for it to be later in the week.
> It is probably fine for Europeans but it will stop many people from being 
> able to attend including myself unless I can come up with other meetings in 
> Europe to fill those days.
> 
> If we cant move it then we will have to live with it and attend or not.
> 
> John B.
> 
>> On Mar 13, 2017, at 4:46 PM, Torsten Lodderstedt  
>> wrote:
>> 
>> Hi Mike,
>> 
>> yes, those are the right dates. There are restrictions from the host's side, 
>> that’s why the workshop needs to take place on Monday and Tuesday. As far as 
>> I remember the host was clear about that from the beginning. 
>> 
>> best regards,
>> Torsten.
>> 
>>> Am 12.03.2017 um 22:15 schrieb Mike Jones :
>>> 
>>> Are Monday-Tuesday, July 10-11 really the right dates?  I'm asking because 
>>> IETF in Prague doesn't start until Sunday, July 16th.  That leaves 4 days 
>>> dead time in between for those of us who are attending both.
>>> 
>>> When I was first told about this workshop, I was told that it would be 
>>> sometime Wednesday-Friday that week.  Can it be moved back to those dates?  
>>> That would be a big help for those of us travelling distances to attend.
>>> 
>>> Or is there also another event in the Wednesday-Fri

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[John Bradley]

I accept the adoption as a starting point.

John B.

> On Apr 20, 2017, at 1:32 PM, Hannes Tschofenig  
> wrote:
> 
> Hi all,
> 
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
> 
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
> 
> Ciao
> Hannes & Rifaat
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Meetings Minutes

[Rifaat Shekh-Yusef]

Hi,

We have uploaded the minutes to the following link:
https://www.ietf.org/proceedings/98/minutes/minutes-98-oauth-00

Thanks to Jeff Hodges for taking the notes.

Please, let us know if you have any feedback.

Regards,
 Rifaat & Hannes
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Brian Campbell]

I accept adoption of this document as a starting point for work in the
OAuth working group!

On Thu, Apr 20, 2017 at 10:32 AM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Hi all,
>
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Ciao
> Hannes & Rifaat
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Hannes Tschofenig]

Hi all,

based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01

Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Rifaat



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth