subject:"Re\: \[OAUTH\-WG\] Meeting Minutes"

Re: [OAUTH-WG] Meeting Minutes

2019-12-23 Thread Torsten Lodderstedt

If I got you right you want to see more people reading the draft? 

6 non authors had read the draft in Singapore + more people already indicated 
their support for WG adoption in this thread. 

How many readers does it take to qualify for a call for adoption? 

> On 23. Dec 2019, at 16:56, Hannes Tschofenig  
> wrote:
> 
> During the vacation period few people pay attention to the list. I guess 
> early 2020 would be useful.
> If you manage to ping some folks to review the draft that would be great. Too 
> few raised their hands in Singapore when we asked.
>  
> Happy holidays! 
>  
> From: Torsten Lodderstedt  
> Sent: Saturday, December 21, 2019 10:59 AM
> To: Hannes Tschofenig 
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Meeting Minutes
>  
> With respect to Rich Authorization Requests, the minutes state that a call 
> for adoption will be sent to the list. When will this call for adoption being 
> sent to the list?
>  
> 
> Am 03.12.2019 um 09:26 schrieb Hannes Tschofenig :
> 
>  
> Here are the meeting minutes from the Singapore IETF meeting:
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>  
> Tony was our scribe. Thanks!
>  
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you. 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you.



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-23 Thread Hannes Tschofenig

During the vacation period few people pay attention to the list. I guess early 
2020 would be useful.
If you manage to ping some folks to review the draft that would be great. Too 
few raised their hands in Singapore when we asked.

Happy holidays!

From: Torsten Lodderstedt 
Sent: Saturday, December 21, 2019 10:59 AM
To: Hannes Tschofenig 
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Meeting Minutes

With respect to Rich Authorization Requests, the minutes state that a call for 
adoption will be sent to the list. When will this call for adoption being sent 
to the list?

Am 03.12.2019 um 09:26 schrieb Hannes Tschofenig 
mailto:hannes.tschofe...@arm.com>>:

Here are the meeting minutes from the Singapore IETF meeting:
https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03

Tony was our scribe. Thanks!

IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you. ___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-21 Thread Torsten Lodderstedt

With respect to Rich Authorization Requests, the minutes state that a call for 
adoption will be sent to the list. When will this call for adoption being sent 
to the list?

> Am 03.12.2019 um 09:26 schrieb Hannes Tschofenig :
> 
> 
> Here are the meeting minutes from the Singapore IETF meeting:
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>  
> Tony was our scribe. Thanks!
>  
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you. 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-17 Thread David Waite

+1 to adopting PAR.

For RAR I have a number of questions myself with the approach and with some of 
the ramifications. I’m most concerned with the coupling of business-specific 
presentation, process validation and workflow within the AS, but also with the 
mixing of single transactional approval into accesses token that is normally 
meant for longer-lived, coarser client authorizations.

To stick with the primary payment example - there are payment cases which model 
well for single resource authorization, such as a PayPal-style transaction 
where the client is also the recipient of funds. For other types of 
transactions, I would worry this may become primarily an AS-executed action 
rather than a client authorization.

Before the device flow and before CIBA, I’d probably try and make a case for 
not adopting it. The decoupling of the client from any user-agent that could 
ask for user authorization outside of OAuth has made an increase in scope (of 
scopes) a higher need - the current communication pipe between the client and 
user-agent is only defined in the scope of the actual OAuth grant processes.

-DW

> On Dec 16, 2019, at 9:26 AM, Brian Campbell 
>  wrote:
> 
> With respect to the Pushed Authorization Requests (PAR) draft the minutes do 
> capture an individual comment that it's a "no brainer to adopt this work" but 
> as I recall there was also a hum to gauge the room's interest in adoption, 
> which was largely in favor of such. Of course, one hum in Singapore isn't the 
> final word but, following from that, I was hoping/expecting to see a call for 
> adoption go out to the mailing list? 
> 
> On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig  > wrote:
> Here are the meeting minutes from the Singapore IETF meeting:
> 
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03 
> 
>  
> 
> Tony was our scribe. Thanks!
> 
>  
> 
>  
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you.
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited..  If you have 
> received this communication in error, please notify the sender immediately by 
> e-mail and delete the message and any file attachments from your computer. 
> Thank you.___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-16 Thread Steinar Noem

I'd also like to see adoption for both PAR and RAR. We will actually start
to use the "authorization_details" parameter early next year.

tir. 17. des. 2019 kl. 08:43 skrev Dominick Baier :

> I’d support adoption of both PAR and RAR.
>
> ———
> Dominick Baier
>
> On 16. December 2019 at 23:02:58, Rob Otto (
> robotto=40pingidentity@dmarc.ietf.org) wrote:
>
> I’d support adoption of both PAR and RAR.
>
> On Mon, 16 Dec 2019 at 21:57, Richard Backman, Annabelle  40amazon@dmarc.ietf.org> wrote:
>
>> +1 for a call for adoption on PAR.
>>
>>
>>
>> I’d also like to see one for RAR; while there are questions that need to
>> be resolved, there seems to be strong interest in this work and adoption
>> means we can have those discussions within the WG where they belong.
>>
>>
>>
>> –
>>
>> Annabelle Richard Backman
>>
>> AWS Identity
>>
>>
>>
>>
>>
>> *From:* OAuth  on behalf of Justin Richer <
>> jric...@mit.edu>
>> *Date:* Monday, December 16, 2019 at 12:36 PM
>> *To:* Brian Campbell 
>> *Cc:* "oauth@ietf.org" 
>> *Subject:* Re: [OAUTH-WG] Meeting Minutes
>>
>>
>>
>> +1 to this. My take away was that PAR was pretty clear for adoption right
>> now, RAR had interest but more question/debate.
>>
>>
>>
>> FWIW I’m in favor of both of them.
>>
>>
>>
>>  — Justin
>>
>>
>>
>> On Dec 16, 2019, at 11:26 AM, Brian Campbell <
>> bcampbell=40pingidentity@dmarc.ietf.org> wrote:
>>
>>
>>
>> With respect to the Pushed Authorization Requests (PAR) draft the minutes
>> do capture an individual comment that it's a "no brainer to adopt this
>> work" but as I recall there was also a hum to gauge the room's interest in
>> adoption, which was largely in favor of such. Of course, one hum in
>> Singapore isn't the final word but, following from that, I was
>> hoping/expecting to see a call for adoption go out to the mailing list?
>>
>>
>>
>> On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig <
>> hannes.tschofe...@arm.com> wrote:
>>
>> Here are the meeting minutes from the Singapore IETF meeting:
>>
>> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>>
>>
>>
>> Tony was our scribe. Thanks!
>>
>>
>>
>>
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> * CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited...
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
> Rob Otto
> EMEA Field CTO - Ping Identity
> +44 777 135 6092
>
> * CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited...
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-16 Thread Dominick Baier

I’d support adoption of both PAR and RAR.

———
Dominick Baier

On 16. December 2019 at 23:02:58, Rob Otto (
robotto=40pingidentity@dmarc.ietf.org) wrote:

I’d support adoption of both PAR and RAR.

On Mon, 16 Dec 2019 at 21:57, Richard Backman, Annabelle  wrote:

> +1 for a call for adoption on PAR.
>
>
>
> I’d also like to see one for RAR; while there are questions that need to
> be resolved, there seems to be strong interest in this work and adoption
> means we can have those discussions within the WG where they belong.
>
>
>
> –
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> *From:* OAuth  on behalf of Justin Richer <
> jric...@mit.edu>
> *Date:* Monday, December 16, 2019 at 12:36 PM
> *To:* Brian Campbell 
> *Cc:* "oauth@ietf.org" 
> *Subject:* Re: [OAUTH-WG] Meeting Minutes
>
>
>
> +1 to this. My take away was that PAR was pretty clear for adoption right
> now, RAR had interest but more question/debate.
>
>
>
> FWIW I’m in favor of both of them.
>
>
>
>  — Justin
>
>
>
> On Dec 16, 2019, at 11:26 AM, Brian Campbell <
> bcampbell=40pingidentity@dmarc.ietf.org> wrote:
>
>
>
> With respect to the Pushed Authorization Requests (PAR) draft the minutes
> do capture an individual comment that it's a "no brainer to adopt this
> work" but as I recall there was also a hum to gauge the room's interest in
> adoption, which was largely in favor of such. Of course, one hum in
> Singapore isn't the final word but, following from that, I was
> hoping/expecting to see a call for adoption go out to the mailing list?
>
>
>
> On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig <
> hannes.tschofe...@arm.com> wrote:
>
> Here are the meeting minutes from the Singapore IETF meeting:
>
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>
>
>
> Tony was our scribe. Thanks!
>
>
>
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> * CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited...
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
Rob Otto
EMEA Field CTO - Ping Identity
+44 777 135 6092

* CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly prohibited..
If you have received this communication in error, please notify the sender
immediately by e-mail and delete the message and any file attachments from
your computer. Thank you.* ___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-16 Thread Rob Otto

I’d support adoption of both PAR and RAR.

On Mon, 16 Dec 2019 at 21:57, Richard Backman, Annabelle  wrote:

> +1 for a call for adoption on PAR.
>
>
>
> I’d also like to see one for RAR; while there are questions that need to
> be resolved, there seems to be strong interest in this work and adoption
> means we can have those discussions within the WG where they belong.
>
>
>
> –
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> *From: *OAuth  on behalf of Justin Richer <
> jric...@mit.edu>
> *Date: *Monday, December 16, 2019 at 12:36 PM
> *To: *Brian Campbell 
> *Cc: *"oauth@ietf.org" 
> *Subject: *Re: [OAUTH-WG] Meeting Minutes
>
>
>
> +1 to this. My take away was that PAR was pretty clear for adoption right
> now, RAR had interest but more question/debate.
>
>
>
> FWIW I’m in favor of both of them.
>
>
>
>  — Justin
>
>
>
> On Dec 16, 2019, at 11:26 AM, Brian Campbell <
> bcampbell=40pingidentity@dmarc.ietf.org> wrote:
>
>
>
> With respect to the Pushed Authorization Requests (PAR) draft the minutes
> do capture an individual comment that it's a "no brainer to adopt this
> work" but as I recall there was also a hum to gauge the room's interest in
> adoption, which was largely in favor of such. Of course, one hum in
> Singapore isn't the final word but, following from that, I was
> hoping/expecting to see a call for adoption go out to the mailing list?
>
>
>
> On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig <
> hannes.tschofe...@arm.com> wrote:
>
> Here are the meeting minutes from the Singapore IETF meeting:
>
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>
>
>
> Tony was our scribe. Thanks!
>
>
>
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited...
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Rob Otto
EMEA Field CTO - Ping Identity
+44 777 135 6092

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-16 Thread Justin Richer

+1 to this. My take away was that PAR was pretty clear for adoption right now, 
RAR had interest but more question/debate. 

FWIW I’m in favor of both of them.

 — Justin

> On Dec 16, 2019, at 11:26 AM, Brian Campbell 
>  wrote:
> 
> With respect to the Pushed Authorization Requests (PAR) draft the minutes do 
> capture an individual comment that it's a "no brainer to adopt this work" but 
> as I recall there was also a hum to gauge the room's interest in adoption, 
> which was largely in favor of such. Of course, one hum in Singapore isn't the 
> final word but, following from that, I was hoping/expecting to see a call for 
> adoption go out to the mailing list? 
> 
> On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig  > wrote:
> Here are the meeting minutes from the Singapore IETF meeting:
> 
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03 
> 
>  
> 
> Tony was our scribe. Thanks!
> 
>  
> 
>  
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you.
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited..  If you have 
> received this communication in error, please notify the sender immediately by 
> e-mail and delete the message and any file attachments from your computer. 
> Thank you.___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2019-12-16 Thread Brian Campbell

With respect to the Pushed Authorization Requests (PAR) draft the minutes
do capture an individual comment that it's a "no brainer to adopt this
work" but as I recall there was also a hum to gauge the room's interest in
adoption, which was largely in favor of such. Of course, one hum in
Singapore isn't the final word but, following from that, I was
hoping/expecting to see a call for adoption go out to the mailing list?

On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig 
wrote:

> Here are the meeting minutes from the Singapore IETF meeting:
>
> https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03
>
>
>
> Tony was our scribe. Thanks!
>
>
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-19 Thread Nat Sakimura

I recall the same with Torsten and Brian. 

At least, there was a sentiment in the room that we have to come up with a 
comprehensive analysis of the security model and threat to come up with a 
proper solution. 

Trying to keep patching the protocol because you can would not be helpful. 

Nat

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of tors...@lodderstedt.net
Sent: Tuesday, April 19, 2016 5:17 PM
To: hannes.tschofe...@gmx.net; bcampb...@pingidentity.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Meeting Minutes

Different people, different perceptions :-)

But anyway, the discussion on the list has already started, right?

 Originalnachricht 
Betreff: Re: [OAUTH-WG] Meeting Minutes
Von: Hannes Tschofenig mailto:hannes.tschofe...@gmx.net> >
An: Brian Campbell mailto:bcampb...@pingidentity.com> >,Torsten Lodderstedt 
mailto:tors...@lodderstedt.net> >
Cc: oauth@ietf.org <mailto:oauth@ietf.org> 

Hi Torsten,

On 04/19/2016 12:34 AM, Brian Campbell wrote:
>
> I felt some consensous around the topic that in the end, there must be
> normative chances to the core protocol and the respective security
> considerations.
>
> Barry gave his advice regarding updates in this context.

There was no consensus on this topic during the meeting and, in
addition, we have to consult those on the mailing list as well.

Barry, in my understanding, outlined the different options we have at
the meeting.

Ciao
Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-19 Thread Hannes Tschofenig



On 04/19/2016 10:17 AM, tors...@lodderstedt.net wrote:
> But anyway, the discussion on the list has already started, right?

I triggered the discussion since I believe it is a worthwhile topic to
think about and, given that it is a bigger decision, we should be
mindful about the direction we take

Ciao
Hannes



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-19 Thread tors...@lodderstedt.net

Different people, different perceptions :-)

But anyway, the discussion on the list has already started, right?

 Originalnachricht 
Betreff: Re: [OAUTH-WG] Meeting Minutes
Von: Hannes Tschofenig 
An: Brian Campbell ,Torsten Lodderstedt 

Cc: oauth@ietf.org

>Hi Torsten,
>
>On 04/19/2016 12:34 AM, Brian Campbell wrote:
>>
>> I felt some consensous around the topic that in the end, there must be
>> normative chances to the core protocol and the respective security
>> considerations.
>>
>> Barry gave his advice regarding updates in this context.
>
>There was no consensus on this topic during the meeting and, in
>addition, we have to consult those on the mailing list as well.
>
>Barry, in my understanding, outlined the different options we have at
>the meeting.
>
>
>Ciao
>Hannes
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-19 Thread Hannes Tschofenig

Hi Torsten,

On 04/19/2016 12:34 AM, Brian Campbell wrote:
>
> I felt some consensous around the topic that in the end, there must be
> normative chances to the core protocol and the respective security
> considerations.
>
> Barry gave his advice regarding updates in this context.

There was no consensus on this topic during the meeting and, in
addition, we have to consult those on the mailing list as well.

Barry, in my understanding, outlined the different options we have at
the meeting.

Ciao
Hannes

signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-18 Thread Phil Hunt

There were multiple options discussed in the meeting and on the emails.

I noticed there was strong support for consolidation if there is an opportunity 
to reduce the number of RFCs developers have to pay attention to.  This is 
where Barry commented that there are differences between a 6749bis, vs an 
UpdateBy vs. adding more drafts.

I’m not sure what the best RFC approach is, but if I was to re-organize the 
drafts to make life easy for implementers I would start to break things down 
into distinct areas where there is minimal overlap (except with core). Maybe 
something along the lines of...

*  Core — what is the core protocol and the security measures that apply to all 
implementations
*  Functional Cases
   — Mobile - threats and remediation that apply to mobile applications
   — Browser - threats and remediations that apply to javascript apps
— Dynamic clients - Formalizing how client applications configure at run 
time or on the fly and/or talk to more than one service provider or oauth 
service. This can also include dynamic registration.
   — Dynamic Resources - Resource services that are deployed against multiple 
different OAuth infrastructure providers (e.g. hosted in multi-clouds), or 
accept authorization/tokens from more than one authorization service. This may 
include formalization of how resource express or register scopes with ASes and 
how they register to be served.

Regarding Dynamic Resources, we haven’t really discussed this. But it seems 
like many AS’s are now issuing generic tokens in enterprise scenarios because 
they actually know nothing about the resources they are controlling access to. 
Potentially this is because resources are spun up and taken down independently. 
 This seems to be its own set of problems and risks that would be worth 
discussing in its own document. Some of this has been discussed in the UMA 
cases, but I’m not sure the UMA proposals work in the broader application 
space.  Certainly we can be informed by the UMA work here.

Phil

@independentid
www.independentid.com phil.h...@oracle.com 

> On Apr 18, 2016, at 4:20 PM, Justin Richer  wrote:
> 
> I recall +1’ing that idea in the chat. It’s an “updates” to 6819 at least.
> 
>  — Justin
> 
> 
>> On Apr 18, 2016, at 6:34 PM, Brian Campbell > > wrote:
>> 
>> Yeah, as I recall, there was at least some support around the idea of an 
>> "enhanced OAuth security" document. 
>> 
>> On Sun, Apr 17, 2016 at 2:46 AM, Torsten Lodderstedt 
>> mailto:tors...@lodderstedt.net>> wrote:
>> Hi all,
>> 
>> the security discussion started with mix up and cut and paste, but we had a 
>> much broader discussion including further issues, such as open redirector. I 
>> suggested to merge all threats we are currently discussing into a single 
>> document in order to come up with a consolidated view on "enhanced OAuth 
>> security". This would at least include:
>> - mix up
>> - copy and paste
>> - changed behavior of browsers regarding URL fragments
>> - open redirector (AS and client)
>> - (potentially) XSRF and advice on how to mitigate it using state
>> 
>> I think that would help the working group to get an overview on ALL issues 
>> (including e.g. fragments) and _systematically_ improve OAuth. We did the 
>> same when we originally published the core spec - and it worked.
>> 
>> I felt some consensous around the topic that in the end, there must be 
>> normative chances to the core protocol and the respective security 
>> considerations.
>> 
>> Barry gave his advice regarding updates in this context.
>> 
>> best regards,
>> Torsten.
>> 
>> > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig 
>> > mailto:hannes.tschofe...@gmx.net>>:
>> >
>> > Leif was so nice to take meeting notes during the OAuth meeting today
>> > and they have been uploaded to:
>> > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth 
>> > 
>> >
>> > Please take a look at them and let me know if they are incorrect or need
>> > to be extended.
>> >
>> > Ciao
>> > Hannes
>> >
>> > ___
>> > OAuth mailing list
>> > OAuth@ietf.org 
>> > https://www.ietf.org/mailman/listinfo/oauth 
>> > 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth 
>> 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
h

Re: [OAUTH-WG] Meeting Minutes

2016-04-18 Thread Justin Richer

I recall +1’ing that idea in the chat. It’s an “updates” to 6819 at least.

 — Justin


> On Apr 18, 2016, at 6:34 PM, Brian Campbell  
> wrote:
> 
> Yeah, as I recall, there was at least some support around the idea of an 
> "enhanced OAuth security" document. 
> 
> On Sun, Apr 17, 2016 at 2:46 AM, Torsten Lodderstedt  > wrote:
> Hi all,
> 
> the security discussion started with mix up and cut and paste, but we had a 
> much broader discussion including further issues, such as open redirector. I 
> suggested to merge all threats we are currently discussing into a single 
> document in order to come up with a consolidated view on "enhanced OAuth 
> security". This would at least include:
> - mix up
> - copy and paste
> - changed behavior of browsers regarding URL fragments
> - open redirector (AS and client)
> - (potentially) XSRF and advice on how to mitigate it using state
> 
> I think that would help the working group to get an overview on ALL issues 
> (including e.g. fragments) and _systematically_ improve OAuth. We did the 
> same when we originally published the core spec - and it worked.
> 
> I felt some consensous around the topic that in the end, there must be 
> normative chances to the core protocol and the respective security 
> considerations.
> 
> Barry gave his advice regarding updates in this context.
> 
> best regards,
> Torsten.
> 
> > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig  > >:
> >
> > Leif was so nice to take meeting notes during the OAuth meeting today
> > and they have been uploaded to:
> > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth 
> > 
> >
> > Please take a look at them and let me know if they are incorrect or need
> > to be extended.
> >
> > Ciao
> > Hannes
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org 
> > https://www.ietf.org/mailman/listinfo/oauth 
> > 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-18 Thread Brian Campbell

Yeah, as I recall, there was at least some support around the idea of an
"enhanced OAuth security" document.

On Sun, Apr 17, 2016 at 2:46 AM, Torsten Lodderstedt <
tors...@lodderstedt.net> wrote:

> Hi all,
>
> the security discussion started with mix up and cut and paste, but we had
> a much broader discussion including further issues, such as open
> redirector. I suggested to merge all threats we are currently discussing
> into a single document in order to come up with a consolidated view on
> "enhanced OAuth security". This would at least include:
> - mix up
> - copy and paste
> - changed behavior of browsers regarding URL fragments
> - open redirector (AS and client)
> - (potentially) XSRF and advice on how to mitigate it using state
>
> I think that would help the working group to get an overview on ALL issues
> (including e.g. fragments) and _systematically_ improve OAuth. We did the
> same when we originally published the core spec - and it worked.
>
> I felt some consensous around the topic that in the end, there must be
> normative chances to the core protocol and the respective security
> considerations.
>
> Barry gave his advice regarding updates in this context.
>
> best regards,
> Torsten.
>
> > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig <
> hannes.tschofe...@gmx.net>:
> >
> > Leif was so nice to take meeting notes during the OAuth meeting today
> > and they have been uploaded to:
> > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth
> >
> > Please take a look at them and let me know if they are incorrect or need
> > to be extended.
> >
> > Ciao
> > Hannes
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-17 Thread Torsten Lodderstedt

Hi all,

the security discussion started with mix up and cut and paste, but we had a 
much broader discussion including further issues, such as open redirector. I 
suggested to merge all threats we are currently discussing into a single 
document in order to come up with a consolidated view on "enhanced OAuth 
security". This would at least include:
- mix up
- copy and paste
- changed behavior of browsers regarding URL fragments
- open redirector (AS and client)
- (potentially) XSRF and advice on how to mitigate it using state

I think that would help the working group to get an overview on ALL issues 
(including e.g. fragments) and _systematically_ improve OAuth. We did the same 
when we originally published the core spec - and it worked.

I felt some consensous around the topic that in the end, there must be 
normative chances to the core protocol and the respective security 
considerations.

Barry gave his advice regarding updates in this context.

best regards,
Torsten.

> Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig :
> 
> Leif was so nice to take meeting notes during the OAuth meeting today
> and they have been uploaded to:
> https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth
> 
> Please take a look at them and let me know if they are incorrect or need
> to be extended.
> 
> Ciao
> Hannes
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-12 Thread Justin Richer

That’s correct, we’ve filed an issue in our project to track its eventual 
implementation:

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1055
 


 — Justin

> On Apr 11, 2016, at 8:21 AM, Brian Campbell  
> wrote:
> 
> Under the Token Exchange part it says, "Jim Fenton: we have implmentation 
> that could be adapted to this." but, as I recall, Jim was not speaking for 
> himself there but rather on behalf of Justin via the Jabber room.  
> 
> 
> 
> On Wed, Apr 6, 2016 at 11:43 AM, Hannes Tschofenig  > wrote:
> Leif was so nice to take meeting notes during the OAuth meeting today
> and they have been uploaded to:
> https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth 
> 
> 
> Please take a look at them and let me know if they are incorrect or need
> to be extended.
> 
> Ciao
> Hannes
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-11 Thread Brian Campbell

Under the Token Exchange part it says, "Jim Fenton: we have implmentation
that could be adapted to this." but, as I recall, Jim was not speaking for
himself there but rather on behalf of Justin via the Jabber room.



On Wed, Apr 6, 2016 at 11:43 AM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Leif was so nice to take meeting notes during the OAuth meeting today
> and they have been uploaded to:
> https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth
>
> Please take a look at them and let me know if they are incorrect or need
> to be extended.
>
> Ciao
> Hannes
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2016-04-07 Thread Gil Kirkpatrick

>> John Bradley sang a few notes from the Sound of Music to end the meeting.

Were the hills alive? :)

-gil

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, April 7, 2016 3:14 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Meeting Minutes

Leif was so nice to take meeting notes during the OAuth meeting today and they 
have been uploaded to:
https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth

Please take a look at them and let me know if they are incorrect or need to be 
extended.

Ciao
Hannes


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2015-07-25 Thread Brian Campbell

My sense of the consensus in the room is as Justin describes it.

On Sat, Jul 25, 2015 at 9:14 AM, Justin Richer  wrote:

> > Consensus: For use of existing params defined in OAuth, while allowing
> some to be optional when not needed.
>
> That was not the consensus as I understood it in the room. The consensus
> was the first portion, as originally noted. The second portion was Mike’s
> requested amendment, and it (and other aspects like the value of
> token_type) were brought up as details that the editors would work on and
> come back to the list.
>
>  — Justin
>
>
> > On Jul 25, 2015, at 7:07 AM, Mike Jones 
> wrote:
> >
> > Good notes.  Please apply the following fixes to them...
> >
> > To the list of new OAuth RFCs since the last meeting please also add:
> >   draft-ietf-oauth-json-web-token
> >   draft-ietf-oauth-saml2-bearer
> >   draft-ietf-oauth-jwt-bearer
> >
> > Please change:
> >   Mike: If the access_token is used, then we must add to spec that
> it's there for historic reasons and say that it's actually not always the
> same token.
> > to:
> >   Mike: If the access_token is used, then we must add to spec that
> it's there for historic reasons and say that it's actually not always an
> access token.
> >
> > Please change:
> >   Consensus: For use of existing params defined in OAuth.
> > to:
> >   Consensus: For use of existing params defined in OAuth, while
> allowing some to be optional when not needed.
> >
> > Please change:
> >   Mike: Microsoft oauth2 server have a 'resource' param to indicate
> the audience.
> > to:
> >   Mike: Microsoft oauth2 server has a 'resource' param to indicate
> the resource that the access token will be used to access.
> >
> > whitely used -> widely used
> >
> > We need to go on with out lives -> We need to go on with our lives
> >
> > ready to a shepherd write-up -> ready for a shepherd write-up
> >
> > Finally, I would add a note saying:
> >   Some additional drafts are planned, including
> draft-jones-amr-values and draft-ietf-oauth-discovery
> >
> >   Thanks
> >   -- Mike
> >
> > -Original Message-
> > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes
> Tschofenig
> > Sent: Thursday, July 23, 2015 7:19 AM
> > To: oauth@ietf.org
> > Subject: [OAUTH-WG] Meeting Minutes
> >
> > Here are the notes from our meeting yesterday:
> >
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f93%2fminutes%2fminutes-93-oauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7ccb085108ecb0454b33c008d293699b85%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5GiVy2SivZk6GWeoXtabbQG1q3r1%2bL%2fnM4o2BmH5Kv8%3d
> >
> > Thanks to Erik for taking notes.
> >
> > Please let me know if something is missing or incorrect within the next
> > 2 weeks.
> >
> > Ciao
> > Hannes
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2015-07-25 Thread Justin Richer

> Consensus: For use of existing params defined in OAuth, while allowing some 
> to be optional when not needed.

That was not the consensus as I understood it in the room. The consensus was 
the first portion, as originally noted. The second portion was Mike’s requested 
amendment, and it (and other aspects like the value of token_type) were brought 
up as details that the editors would work on and come back to the list.

 — Justin


> On Jul 25, 2015, at 7:07 AM, Mike Jones  wrote:
> 
> Good notes.  Please apply the following fixes to them...
> 
> To the list of new OAuth RFCs since the last meeting please also add:
>   draft-ietf-oauth-json-web-token
>   draft-ietf-oauth-saml2-bearer
>   draft-ietf-oauth-jwt-bearer
> 
> Please change:
>   Mike: If the access_token is used, then we must add to spec that it's 
> there for historic reasons and say that it's actually not always the same 
> token.
> to:
>   Mike: If the access_token is used, then we must add to spec that it's 
> there for historic reasons and say that it's actually not always an access 
> token.
> 
> Please change:
>   Consensus: For use of existing params defined in OAuth.
> to:
>   Consensus: For use of existing params defined in OAuth, while allowing 
> some to be optional when not needed.
> 
> Please change:
>   Mike: Microsoft oauth2 server have a 'resource' param to indicate the 
> audience.
> to:
>   Mike: Microsoft oauth2 server has a 'resource' param to indicate the 
> resource that the access token will be used to access.
> 
> whitely used -> widely used
> 
> We need to go on with out lives -> We need to go on with our lives
> 
> ready to a shepherd write-up -> ready for a shepherd write-up
> 
> Finally, I would add a note saying:
>   Some additional drafts are planned, including draft-jones-amr-values 
> and draft-ietf-oauth-discovery
> 
>   Thanks
>   -- Mike
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, July 23, 2015 7:19 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Meeting Minutes
> 
> Here are the notes from our meeting yesterday:
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f93%2fminutes%2fminutes-93-oauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7ccb085108ecb0454b33c008d293699b85%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5GiVy2SivZk6GWeoXtabbQG1q3r1%2bL%2fnM4o2BmH5Kv8%3d
> 
> Thanks to Erik for taking notes.
> 
> Please let me know if something is missing or incorrect within the next
> 2 weeks.
> 
> Ciao
> Hannes
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2015-07-24 Thread Mike Jones

Good notes.  Please apply the following fixes to them...

To the list of new OAuth RFCs since the last meeting please also add:
draft-ietf-oauth-json-web-token
draft-ietf-oauth-saml2-bearer
draft-ietf-oauth-jwt-bearer

Please change:
Mike: If the access_token is used, then we must add to spec that it's 
there for historic reasons and say that it's actually not always the same token.
to:
Mike: If the access_token is used, then we must add to spec that it's 
there for historic reasons and say that it's actually not always an access 
token.

Please change:
Consensus: For use of existing params defined in OAuth.
to:
Consensus: For use of existing params defined in OAuth, while allowing 
some to be optional when not needed.

Please change:
Mike: Microsoft oauth2 server have a 'resource' param to indicate the 
audience.
to:
Mike: Microsoft oauth2 server has a 'resource' param to indicate the 
resource that the access token will be used to access.

whitely used -> widely used

We need to go on with out lives -> We need to go on with our lives

ready to a shepherd write-up -> ready for a shepherd write-up

Finally, I would add a note saying:
Some additional drafts are planned, including draft-jones-amr-values 
and draft-ietf-oauth-discovery

Thanks
-- Mike

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, July 23, 2015 7:19 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Meeting Minutes

Here are the notes from our meeting yesterday:
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f93%2fminutes%2fminutes-93-oauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7ccb085108ecb0454b33c008d293699b85%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5GiVy2SivZk6GWeoXtabbQG1q3r1%2bL%2fnM4o2BmH5Kv8%3d

Thanks to Erik for taking notes.

Please let me know if something is missing or incorrect within the next
2 weeks.

Ciao
Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-25 Thread Hannes Tschofenig

Hi Antonio,

thanks for raising this issue and for pointing to the relevant email
exchange.

Let me figure out the schedule for getting this issue resolved. I
believe we could cover this topic in one of our conference calls (for
which I have to distribute a poll first).

I believe it is important to produce a write-up about this issue; the
question is only what the appropriate format is.

Ciao
Hannes


On 11/25/2014 10:44 AM, Antonio Sanso wrote:
> hi Hannes ,
> 
> thanks for sharing the minutes.
> 
> about
> 
> == John reported a security problem where a 302 redirect without
> user interaction causes security problems. Do we want to say somthing
> about this?  Implementation guidance somewhere?
> 
> Chairs: Is this written up?
> 
> John: Yes, on mailing list.
> 
> Justin: This might be a good example for the oauth.net article
> section because it's implementation advice, not a change to the
> protocol. =
> 
> I assume (maybe wrong) this might be about [0]. My question is there
> any timeline/action plan for this topic? I am more than happy if I
> could contribute or try to help out
> 
> regards
> 
> antonio
> 
> [0] http://www.ietf.org/mail-archive/web/oauth/current/msg13367.html
> 
> 
> On Nov 14, 2014, at 4:05 AM, Hannes Tschofenig
>  wrote:
> 
>> Hi all,
>> 
>> here is a draft version of the meeting minutes: 
>> http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth
>> 
>> Thanks to Brian Rosen for taking notes.
>> 
>> Comments are welcome!
>> 
>> Ciao Hannes & Derek
>> 
>> ___ OAuth mailing list 
>> OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-25 Thread Antonio Sanso

hi Hannes ,

thanks for sharing the minutes.

about

==
John reported a security problem where a 302 redirect without user interaction 
causes security problems. 
Do we want to say somthing about this?  Implementation guidance somewhere?

Chairs: Is this written up?

John: Yes, on mailing list.

Justin: This might be a good example for the oauth.net article section because 
it's implementation advice, not a change to the protocol.
=

I assume (maybe wrong) this might be about [0].
My question is there any timeline/action plan for this topic?
I am more than happy if I could contribute or try to help out

regards

antonio

[0] http://www.ietf.org/mail-archive/web/oauth/current/msg13367.html

On Nov 14, 2014, at 4:05 AM, Hannes Tschofenig  
wrote:

> Hi all,
> 
> here is a draft version of the meeting minutes:
> http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth
> 
> Thanks to Brian Rosen for taking notes.
> 
> Comments are welcome!
> 
> Ciao
> Hannes & Derek
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-19 Thread Hannes Tschofenig

Hi Mike, Hi Brian,

I have updated the meeting minutes based on your requests.
Here is the updated version:
http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth

Ciao
Hannes


On 11/14/2014 08:43 PM, Mike Jones wrote:
> Please change "jwt-req-request" to "jwt-reg-review", per 
> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-10.1.
> 
> Other than that, the minutes look good.
> 
>   Thanks,
>   -- Mike
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, November 13, 2014 5:05 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Meeting Minutes
> 
> Hi all,
> 
> here is a draft version of the meeting minutes:
> http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth
> 
> Thanks to Brian Rosen for taking notes.
> 
> Comments are welcome!
> 
> Ciao
> Hannes & Derek
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-14 Thread Mike Jones

Please change "jwt-req-request" to "jwt-reg-review", per 
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-10.1.

Other than that, the minutes look good.

Thanks,
-- Mike

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, November 13, 2014 5:05 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Meeting Minutes

Hi all,

here is a draft version of the meeting minutes:
http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth

Thanks to Brian Rosen for taking notes.

Comments are welcome!

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-14 Thread Brian Campbell

I'd guess people wouldn't try to deploy those two options together because
it's clearly prohibited.

On Fri, Nov 14, 2014 at 9:47 AM, Justin Richer  wrote:

> Brian is right, it's still a MUST NOT. We could relax that to a SHOULD NOT
> to allow for the (still largely theoretical) structured client_id construct
> to change over time. The reason it's how it is right now is that most
> systems use the client_id value as a key into things and funny expect it to
> change, as was discussed at several meetings and on the list already.
> Current implementations of this spec don't use structured client_id values.
>
> But as this is now tagged as experimental, we could also just publish it
> as is and see if anybody actually tried to deploy those two options
> together.
>
> -- Justin
>
> / Sent from my phone /
>
>
>  Original message 
> From: Brian Campbell 
> Date:11/14/2014 4:26 AM (GMT-10:00)
> To: Hannes Tschofenig 
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Meeting Minutes
>
> My question was not really about the status of
> draft-bradley-oauth-stateless-client-id but rather about
> draft-ietf-oauth-dyn-reg-management allowing for the kind of stateless
> client id that Bradley described in his draft.
>
> And draft-ietf-oauth-dyn-reg-management still has text that says, 'The
> value of the "client_id" MUST NOT change from the initial registration
> response.' which makes it incompatible with the concepts described in
> draft-bradley-oauth-stateless-client-id.
>
> On Thu, Nov 13, 2014 at 8:05 PM, Hannes Tschofenig <
> hannes.tschofe...@gmx.net> wrote:
>
>> Hi all,
>>
>> here is a draft version of the meeting minutes:
>> http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth
>>
>> Thanks to Brian Rosen for taking notes.
>>
>> Comments are welcome!
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-14 Thread Justin Richer

Brian is right, it's still a MUST NOT. We could relax that to a SHOULD NOT to 
allow for the (still largely theoretical) structured client_id construct to 
change over time. The reason it's how it is right now is that most systems use 
the client_id value as a key into things and funny expect it to change, as was 
discussed at several meetings and on the list already. Current implementations 
of this spec don't use structured client_id values. 

But as this is now tagged as experimental, we could also just publish it as is 
and see if anybody actually tried to deploy those two options together.

-- Justin

/ Sent from my phone /


 Original message 
From: Brian Campbell  
Date:11/14/2014  4:26 AM  (GMT-10:00) 
To: Hannes Tschofenig  
Cc: oauth@ietf.org 
Subject: Re: [OAUTH-WG] Meeting Minutes 

My question was not really about the status of 
draft-bradley-oauth-stateless-client-id but rather about 
draft-ietf-oauth-dyn-reg-management allowing for the kind of stateless client 
id that Bradley described in his draft.

And draft-ietf-oauth-dyn-reg-management still has text that says, 'The value of 
the "client_id" MUST NOT change from the initial registration response.' which 
makes it incompatible with the concepts described in 
draft-bradley-oauth-stateless-client-id.

On Thu, Nov 13, 2014 at 8:05 PM, Hannes Tschofenig  
wrote:
Hi all,

here is a draft version of the meeting minutes:
http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth

Thanks to Brian Rosen for taking notes.

Comments are welcome!

Ciao
Hannes & Derek


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

2014-11-14 Thread Brian Campbell

My question was not really about the status of
draft-bradley-oauth-stateless-client-id but rather about
draft-ietf-oauth-dyn-reg-management allowing for the kind of stateless
client id that Bradley described in his draft.

And draft-ietf-oauth-dyn-reg-management still has text that says, 'The
value of the "client_id" MUST NOT change from the initial registration
response.' which makes it incompatible with the concepts described in
draft-bradley-oauth-stateless-client-id.

On Thu, Nov 13, 2014 at 8:05 PM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Hi all,
>
> here is a draft version of the meeting minutes:
> http://www.ietf.org/proceedings/91/minutes/minutes-91-oauth
>
> Thanks to Brian Rosen for taking notes.
>
> Comments are welcome!
>
> Ciao
> Hannes & Derek
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes - IETF#83

2012-04-04 Thread Derek Atkins

Also, FYI, the audio recording of the meeting is available here:

http://www.ietf.org/audio/ietf83/ietf83-252a-20120329-1256-pm.mp3

-derek

On Wed, April 4, 2012 12:01 pm, Hannes Tschofenig wrote:
> Hey guys,
>
> Derek took notes during the meeting and I polished them a bit.
>
> Have a look at them and let us know if there is something missing:
> http://www.ietf.org/proceedings/83/minutes/minutes-83-oauth.txt
>
> Ciao
> Hannes & Derek
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes

Re: [OAUTH-WG] Meeting Minutes - IETF#83

31 matches

Site Navigation

Mail list logo

Footer information