Re: [OAUTH-WG] OAuth Digital Credential Status Attestations

Hi Guiseppe, Francesco, Orie, @Orie: Thanks for sharing the draft. As a quick reaction: It would be good to invent a new term for “attestation” in draft-demarco-status-attestations.html because this term is already widely used in a different context (see RFC 9334). @Guiseppe and

Re: [OAUTH-WG] Relationship between SPICE and OAuth

everything was re-defined in CBOR/COSE. CWT was one of the outcome of that work. The idea was nice but the success was below my expectations. Am 02.11.2023 um 13:23 schrieb Daniel Fett: Hi Hannes, Am 02.11.23 um 12:46 schrieb Hannes Tschofenig: The question to the authors of the SD-JWT & rel

Re: [OAUTH-WG] Relationship between SPICE and OAuth

be, etc. I consider SD-JWT closer to a finish line then a start line and would not like its progress being slowed down by moving it to another WG at this point of document's lifecycle. I am not in favor of moving SD-JWT work to SPICE WG. Best, Kristina *From:*OAuth *On Behalf Of *Hannes Tschof

Re: [OAUTH-WG] Relationship between SPICE and OAuth

Hi Torsten, Am 01.11.2023 um 17:43 schrieb tors...@lodderstedt.net: Have a missed a posting on this list where you have started a discussion with the WG of whether the drafts shall be moved into SPICE now? Otherwise I’m wondering about the tone of your post. It’s the WG that needs to decide on

[OAUTH-WG] Missing IPR confirmations .... Re: IPR Disclosure - OAuth 2.0 Security Best Current Practice

John & Andrey - please reply to my email below. Ciao Hannes Am 04.10.2023 um 15:41 schrieb Tschofenig, Hannes: Hi Daniel, Torsten, Andrey, John, as part of the shepherd write-up, all authors of must confirm that any and all appropriate IPR disclosures required for full conformance with

[OAUTH-WG] Relationship between SPICE and OAuth

Hi all, I am a bit puzzled by the response Pam and I received when putting the agenda for the SPICE BOF together. It appears that most people have not paid attention to the discussions during the last few months. Let me try to get you up to speed. So, here is my summary. The OAuth working

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

It's unfortunate that the spec does not cite previous work, which the authors and undoubtedly aware of, the same comment was made at the microphone at the last IETF. Orie is right that we have to take prior work into account. I am saying this in response to this call for adoption but it

[OAUTH-WG] IAB statement on the risks of attestation

Here is an IAB statement relevant to the work we are doing on Client Attestation: https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/ You might recall that I talked about attestation at

Re: [OAUTH-WG] SD-JWT does not meet standard security definitions

Hi Watson, deploying technologies can be complex because the incentives need to align. Not everything that looks great on paper gets adopted in the time frame or manner we like. In this specific case U-Prove has not been seen excitement in the industry. There are reasons but it is difficult to

[OAUTH-WG] Attestation for Dynamic Client Registration

Hi all, Jan and I wrote a document that adds **attestation** to the dynamic client registration. Here is the document: https://datatracker.ietf.org/doc/draft-tschofenig-oauth-attested-dclient-reg/ It is pretty simple (if you know something about attestation). Ciao Hannes

[OAUTH-WG] Fwd: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)

You might be interested in these discussions on the architecture-disc...@ietf.org regarding a new IAB program focused on identity systems. Here is the link: https://mailarchive.ietf.org/arch/browse/architecture-discuss/ Weitergeleitete Nachricht Betreff:[arch-d]

Re: [OAUTH-WG] Simplification and consolidation of SD-JWT terminology and format

Hi Brian, please note that this is a working group item and you cannot make decisions in a small group with off-line discussions. Hence, I suggest to propose the changes to the list and get support for it. As you know, we need to follow this approach to give everyone in the group a chance to

Re: [OAUTH-WG] [IANA #1270467] expert review for draft-ietf-oauth-dpop (oauth-parameters)

Hi Amanda, adding "DPoP" to the OAuth Access Token Types registry is fine as well. Regarding the entries to the "OAuth Access Token Types" registry I have a question: The location should be "resource access error response" rather than "resource error response". If so, then the entries are OK

Re: [OAUTH-WG] [IANA #1270470] expert review for draft-ietf-oauth-dpop (jwt)

Hi Amanda, I have reviewed the registration request and I approve it. Ciao Hannes Am 12.04.2023 um 07:47 schrieb Amanda Baber via RT: Hi Hannes, Can you also check this JWT registration before Thursday? John's an author, so we would need a review from you.

Re: [OAUTH-WG] [IANA #1267318] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)

Hi Amanda, I reviewed the request and I approve it. Thanks for the work. Ciao Hannes Am 05.04.2023 um 13:04 schrieb Amanda Baber via RT: Hi Hannes, Have you had a chance to review the OAuth Extensions Error registration in this document? It's on next week's telechat agenda.

Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession (PoP) Security Architecture

Hi Daniel, from the history of the group I think it is fair to say that we can guarantee that there will be further work on this topic. The reason why I agree with Nat is that neither DPoP nor MTLS paint the bigger picture. Ciao Hannes Am 03.04.2023 um 09:20 schrieb Daniel Fett: Hi

Re: [OAUTH-WG] OAuth WG Agenda @ IETF116

We will schedule virtual interim meetings after IETF#116 to progress topics that need more discussion time. Ciao Hannes Am 21.03.2023 um 19:41 schrieb Rifaat Shekh-Yusef: All, The IESG raised some concerns around the side meetings. For this reason, we are unfortunately *canceling* these

Re: [OAUTH-WG] redirect uri and portals

Hi Yannick, Am 07.03.2023 um 14:25 schrieb Yannick Majoros: One possible solution: Store the redirect information in a signed JWT and place the JWT in the state parameter. I don't think this is written somewhere in the security BCP but I think this is a solutions used in the wild by multiple

Re: [OAUTH-WG] [oauth-ext-review] [IANA #1261154] expert review for draft-ietf-oauth-rar (OAuth Parameters - OAuth Extensions Error)

This revision is OK. Thanks for all the work. -Original Message- From: oauth-ext-review On Behalf Of Amanda Baber via RT Sent: Friday, December 9, 2022 7:25 PM Cc: wpa...@rhosys.ch; r...@cert.org; oauth@ietf.org; oauth-ext-rev...@ietf.org; Hannes Tschofenig ; bcampb

Re: [OAUTH-WG] [IANA #1261154] expert review for draft-ietf-oauth-rar (OAuth Parameters - OAuth Extensions Error)

Hi all, Thanks for the email, Amanda. I review the IANA consideration request. Only the OAuth Extension Error registration in Section 15.6 of https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar#name-iana-considerations requires some changes. The other, OAuth-related registry entries,

Re: [OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt

Thanks for the response, Brian. A few remarks below. From: Brian Campbell Sent: Tuesday, November 29, 2022 11:21 PM To: Hannes Tschofenig Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt Hi Hannes, Though I am yet to officially have my name on the document as a co

[OAUTH-WG] No OAuth WG Virtual Office Hours today

Rifaat and I are unable. Hence, we need to cancel today's call. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other

[OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt

Hi Daniel, Hi Kristina, Hi Brian, Hi all, Reading through draft-ietf-oauth-selective-disclosure-jwt I was wondering why the document defines new terminology for roles that already exist in OAuth. For example: * Issuer = AS * Holder = Client * Verifier = RS I assume that was done

Re: [OAUTH-WG] [IANA #1230270] expert review for draft-ietf-oauth-jwk-thumbprint-uri (oauth-parameters)

Hi Michelle, This draft correctly adds one entry to the OAuth URI registry. I approve the registration. Ciao Hannes -Original Message- From: Michelle Thangtamsatid via RT Sent: Thursday, May 5, 2022 6:49 PM Cc: Hannes Tschofenig ; oauth@ietf.org Subject: [IANA #1230270] expert review

Re: [OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

Thanks for the clarification, Nicolas. This makes sense to me and thanks for implementing the RAR spec. Ciao Hannes -Original Message- From: Nicolas Mora Sent: Wednesday, May 4, 2022 10:07 PM To: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Rich Authorization

Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-rar-11

Hi Andreii, Thanks for pointing this out. We will incorporate your editorial changes alongside other review comments from the IESG and various directorates. Ciao Hannes -Original Message- From: Andrii Deinega Sent: Wednesday, May 4, 2022 9:22 PM To: Hannes Tschofenig via Datatracker

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-rar-11

Hannes Tschofenig has requested publication of draft-ietf-oauth-rar-11 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ ___ OAuth mailing list

[OAUTH-WG] Updated RAR write-up

Hi all, Thanks for the detailed feedback on the implementation status (Takahiko, Torsten, and Vladimir). I have updated the write-up detailing the implementation status. All authors of draft-ietf-oauth-rar have confirm that any and all appropriate IPR disclosures required for full conformance

Re: [OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

elouest.io/glewlwyd/ /Nicolas Le 2022-04-06 à 09 h 46, Hannes Tschofenig a écrit : > Hi all, > > I am working on the shepherd writeup for the RAR document and the IESG > is interested to hear about the implementation status of this specification. > > What implementations are available th

[OAUTH-WG] Shepherd writeup for draft-ietf-oauth-rar-10

Hi all, Here is the work in progress version of the shepherd writeup for the draft-ietf-oauth-rar-10: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/shepherdwriteup/ Please take a look at it and let me know if I missed anything. I will ship it to the IESG once all IPR confirmations are

[OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

Hi all, I am working on the shepherd writeup for the RAR document and the IESG is interested to hear about the implementation status of this specification. What implementations are available that use the RAR functionality or are vendors planning to implement this specification? Ciao Hannes

[OAUTH-WG] IPR Disclosures - OAuth 2.0 Rich Authorization Requests

Authors, as part of the shepherd write-up, all authors of draft-ietf-oauth-rar must confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. Please, reply to this email on the mailing list and indicate

Re: [OAUTH-WG] [oauth-ext-review] [IANA #1216704] Expert Review for draft-ietf-oauth-iss-auth-resp (oauth-parameters) (2)

rtunately, this use is compatible with > > > > that in > > > > draft-ietf-oauth-iss-auth-resp. > > > > > > > > I would be OK with draft-ietf-oauth-iss-auth-resp also registering it > > > > for > > > > usage "authorization response&

[OAUTH-WG] draft-ietf-oauth-rar-08 review

Hi all, thanks for writing this document. I have read through it as part of my shepherd writeup and here are a few comments and questions. Generic Comments: As a style issue, it would be good to treat code segments as figures with a figure headings so that references in the text is easier to

[OAUTH-WG] Canceling OAuth Virtual Office Hours today

Hi all, Since neither Rifaat nor myself are available today, we will cancel the virtual office hours for today. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please

[OAUTH-WG] OAuth Proof of Possession Tokens with HTTP Message Signature

Hi all Following the virtual interim meeting discussion last week about "OAuth Proof of Possession Tokens with HTTP Message Signature" my main concern is about the unclear boundary between draft-ietf-oauth-dpop and the OAuth Proof of

[OAUTH-WG] New Doodle Poll for OAuth Virtual Office Hours

Hi all We are running a Doodle poll to find suitable times for our bi-weekly OAuth office hours. Here is the link: https://doodle.com/poll/2tf58dmmhvgi6rrt?utm_source=poll_medium=link Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and

[OAUTH-WG] No OAuth WG Virtual Office Hours today

Hi all, Due to the holiday in the US and in Canada we are skipping the call today. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not

[OAUTH-WG] No OAuth WG Virtual Office Hours Today

Due to a conflict there is no conference call today. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-par-07

Hannes Tschofenig has requested publication of draft-ietf-oauth-par-07 as None on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ ___ OAuth mailing list OAuth@ietf.org

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: Shepherd Write-Up

FYI: If you want to track my shepherd write-up for the "OAuth 2.0 Pushed Authorization Requests" specification then you can find it here: https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_PAR.txt Ciao Hannes IMPORTANT NOTICE: The contents of this

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: Implementation Status

Hi all, I am working on the shepherd writeup and I need information about the implementation status of this specification. Can you share whether you are implementing, or planning to implement this specification? If there is open source, please drop a link to the mailing list. If you implement

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: IPR Confirmation

Hi Torsten, Brian, Nat, Dave, Filip, I am working on the shepherd writeup for the "OAuth 2.0 Pushed Authorization Requests" specification. One item in the shepherd template requires me to indicate whether each document author has confirmed that any and all appropriate IPR disclosures

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Phil, I am moving this to the OAuth group to avoid confusing the IETF list any further. See my feedback below. From: ietf On Behalf Of Phillip Hallam-Baker Sent: Wednesday, February 24, 2021 6:47 AM To: Kathleen Moriarty Cc: i...@ietf.org; oauth@ietf.org Subject: Re: Diversity and

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

or virtual interim meetings. Ciao Hannes PS: This is not a general life advice. There are many things you better skip... From: Bron Gondwana Sent: Tuesday, February 23, 2021 12:51 PM To: Hannes Tschofenig ; i...@ietf.org Cc: oauth@ietf.org Subject: Re: Diversity and Inclusiveness in the IETF Without

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Bron, I have to respond to your statements about the OAuth working group below. While we do not pay attention to keeping the charter page up-to-date, we have been able to advance our documents, produce many implementations, and got those deployed all over the Internet. The bar for

[OAUTH-WG] PAR Shepherd Review

Hi all, I am in the process of writing my shepherd write-up for the PAR document and wanted to make sure that I properly understand the document. The introduction says: " This document [PAR] complements JAR by providing an interoperable way to push the payload of an authorization request

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-access-token-jwt-10

Hannes Tschofenig has requested publication of draft-ietf-oauth-access-token-jwt-10 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt

[OAUTH-WG] FW: JWT Secured Authorization Request (JAR): IPR Confirmation

FYI: I am not sure whether this email made it to the mailing list From: Nat Sakimura Sent: Tuesday, September 22, 2020 7:44 AM To: John Bradley Cc: Hannes Tschofenig ; Mike Jones ; oauth@ietf.org Subject: Re: JWT Secured Authorization Request (JAR): IPR Confirmation I know of no IPR, and make

[OAUTH-WG] FW: Subject claim ... was : About draft-ietf-oauth-access-token-jwt-10

lt;mailto:denis.i...@free.fr> Sent: Thursday, September 24, 2020 9:18 AM To: Hannes Tschofenig <mailto:hannes.tschofe...@arm.com>; vittorio.berto...@auth0.com<mailto:vittorio.berto...@auth0.com> Subject: Re: Subject claim ... was : [OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10

[OAUTH-WG] JWT Secured Authorization Request (JAR): IPR Confirmation

Hi Mike, Nat, John, I am updating the shepherd writeup for the "The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)" specification, see https://tools.ietf.org/id/draft-ietf-oauth-jwsreq-30.txt, and given the changes I need your IPR confirmation again. (Mike joined as

[OAUTH-WG] Implementation Status of "JWT Secured Authorization Request (JAR)"

Hi all Because some procedural issues I have to update the shepherd writeup of the JAR document and I wanted to verify whether the implementations listed in https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_JAR.txt (copied below) are still inline

[OAUTH-WG] Updated shepherd writeup for draft-ietf-oauth-access-token-jwt-09

Hi all, I updated the shepherd writeup for draft-ietf-oauth-access-token-jwt-09 and included the links to the implementations distributed on the list. I am sure there are more. While updating the shepherd writeup I noticed that the draft contains a JWT in a style that does not match the

[OAUTH-WG] Shepherd writeup for the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens -- Information about Implementations

Hi Vittorio, Hi all, I am working on the shepherd writeup for and you can find the latest version here: https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_JWT-Profile-for-AccessTokens.txt I am in need for information about implementations that are

[OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: IPR Confirmation

Hi Vittorio, I am working on the shepherd writeup for the "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" specification: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08 One item in the template requires me to indicate whether each document author has confirmed that

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Vittorio, Thanks for the draft update. Responses to your questions are below: From: Vittorio Bertocci Sent: Tuesday, September 15, 2020 8:59 AM To: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Thank you Hannes for the thorough review

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

, September 10, 2020 11:41 AM To: Hannes Tschofenig Cc: Dick Hardt ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Hi Hannes, Thank you for responses. See below. Hi Denis, Hi Dick and Hannes, 1) While reading RFC 7519, no reader may be able to figure out

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Denis, Hi Dick and Hannes, 1) While reading RFC 7519, no reader may be able to figure out that there are more than two flavours of the "sub" claim. This draft is introducing two new other favours of the semantics of the "sub" claim which are not present in RFC 7519. When an

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

and Authorization Protocol (gnap) working group instead. Ciao Hannes From: Dick Hardt Sent: Tuesday, September 8, 2020 6:26 PM To: Denis Cc: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Denis The objective of this document is to standardize the token

[OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Victorio, Hi all, I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions: Section 2: I would delete this sentence "JWT access tokens are regular JWTs complying with the requirements described in this section."

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi Denis, Please see my response below. From: Denis Sent: Wednesday, June 3, 2020 12:12 PM To: Hannes Tschofenig Cc: Rifaat Shekh-Yusef ; Vittorio Bertocci ; oauth@ietf.org Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Hi Han

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Let me try to jump in here in order to make a proposal for the text in the privacy consideration section: FROM: 6. Privacy Considerations As JWT access tokens carry information by value, it now becomes possible

[OAUTH-WG] Virtual Interim meeting next Monday, May 18th -- DPOP Discussion

Hi all, As discussed at the last virtual interim meeting call we will add another slot next Monday to talk about DPOP. This is a continuation of the DPOP discussion we had during one of our virtual interim meeting slots. Please find the meeting invite in the calendar. Ciao Hannes & Rifaat

[OAUTH-WG] Meeting info for April 6th

As announced, here is the calendar invite for the virtual interim meeting next Monday. We are going to focus on the following two documents, as previously posted to the list: 1) OAuth Security Topics https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14 Goal: Make it ready for the

[OAUTH-WG] IETF 107 Virtual OAuth Sessions

Hi all, Rifaat and I had a chat about the virtual interim meetings. We decided to schedule 6 one-hour-long sessions with 2 topics per session. Here is the list of topics we want to discuss: 1) OAuth Security Topics + Browser-Based Apps 2) JSON Web Token (JWT) Profile for OAuth 2.0 Access

[OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi all, this is a working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04 Please send you comments to the OAuth mailing list by April 6, 2020. Ciao Hannes & Rifaat IMPORTANT

[OAUTH-WG] Meeting Notes (9th March 2020)

Participants: - Roman Danyliw - Torsten Lodderstedt - Travis Spencer - Aaron Parecki - Ben Kaduk - Brian Campbell - Cigdem Sengul - Daniel Fett - David Waite - Filip - Jim Schaad - Justin Richer - Marco Tiloca - Matthew de Haast - Michael Peck - Mike Jones - Phil Hunt - Hannes Tschofenig - Joseph

[OAUTH-WG] Virtual Interim Meeting for the PoP Discussion

Hi all, Here are the details for the virtual interim meeting to discuss the proof-of-possession tokens. Date: March, 9th Time: 6:00 PM - 7:30 PM Monday, (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna Meeting number (access code): 641 458 628 Meeting password: BWsAF9rT

[OAUTH-WG] Experts for IANA OAuth Registries

Hi all, as part of the standards work on OAuth we have created several registries, see https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml. Adding and modifying entries in that registry often requires expert reviewers to verify changes. We need volunteers to become expert

[OAUTH-WG] Doodle Poll for scheduling a discussion on proof-of-possession tokens

Hi all, at the Singapore IETF meeting we talked about setting time aside for discussing proof-of-possession tokens. To schedule a call we put a Doodle poll together: https://doodle.com/poll/sqhbeeg6knp435ag Please let us know by the end of the week what dates work for you. Ciao Hannes &

[OAUTH-WG] Virtual Interim Meeting/Conference Call on Feb. 10th

Hi all, Based on the feedback we have selected Feb, 10th at 6pm CET. In other time zones this is: https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020=2=10=17=0=0=1889=179=137 Meeting link: https://ietf.webex.com/ietf/j.php?MTID=m2d06208053cadb653212b11cfc65eeaf Meeting number:

[OAUTH-WG] No OAuth Call Today

Due to vacation there is no OAuth call today. We wish you a Happy New Year! Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not

Re: [OAUTH-WG] Doodle Poll for OAuth Virtual Interim Meeting

, Dec 16, 2019 at 11:12 AM Hannes Tschofenig mailto:hannes.tschofe...@arm.com>> wrote: Hi all, at the Singapore IETF meeting we had a discussion about a possible update of RFC 6749 (with the codename of “OAuth 2.1”). A discussion at a side-meeting in Singapore made clear that there is no

Re: [OAUTH-WG] Meeting Minutes

, December 21, 2019 10:59 AM To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Meeting Minutes With respect to Rich Authorization Requests, the minutes state that a call for adoption will be sent to the list. When will this call for adoption being sent to the list? Am 03.12.2019 um 09

[OAUTH-WG] Doodle Poll for OAuth Virtual Interim Meeting

Hi all, at the Singapore IETF meeting we had a discussion about a possible update of RFC 6749 (with the codename of "OAuth 2.1"). A discussion at a side-meeting in Singapore made clear that there is no common view about the goals of such an effort and whether there are other options to reach

[OAUTH-WG] Meeting Minutes

Here are the meeting minutes from the Singapore IETF meeting: https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03 Tony was our scribe. Thanks! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the

[OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hi all, this is a working group last call for "OAuth 2.0 Security Best Current Practice". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 Please send you comments to the OAuth mailing list by Nov. 27, 2019. (We use a three week WGLC because of the IETF

Re: [OAUTH-WG] Virtual Office Hours

Hi Brian, Hi Lee, the secretary will distribute the information in an “official way”. I expect this to happen in the next few days. Ciao Hannes From: OAuth On Behalf Of Brian Campbell Sent: Mittwoch, 16. Oktober 2019 16:32 To: Lee McGovern Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Virtual

[OAUTH-WG] Virtual Interim Meeting - Nov. 4th

Hi all, we would like to hold a virtual interim meeting to discuss the next steps regarding the OAuth 2.0 Security Best Current Practice (https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/) draft. Time would be at our bi-weekly OAuth WG Virtual Office Hours (i.e., 6:00 PM to

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

Thanks for the correction; yes – the most recent version is -02 and I posted an old link. From: Eve Maler Sent: Donnerstag, 12. September 2019 16:16 To: Hannes Tschofenig Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01 I think you mean https://tools.ietf.org/html/draft

[OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

Hi all, We are starting a WGLC on the "OAuth 2.0 Incremental Authorization" draft. You can find the document here: https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-01 Please review the document and provide feedback. The WGLC will end September 25th, 2019. Ciao Hannes & Rifaat

Re: [OAUTH-WG] Virtual Interim Meeting: Doodle Poll

. Because the agenda of the meeting was announced upfront already we believe we cannot change the agenda at this point in time anymore. We will still hold our regular OAuth WG office hour, if anyone wants to chat with Rifaat and myself about OAuth WG business. Ciao Hannes From: Hannes

[OAUTH-WG] Virtual Interim Meeting: Doodle Poll

Hi all, at the Prague IETF meeting we ran a bit out of time during the working group session and therefore we would like to schedule an interim meeting to continue the conversation about UMA. Rifaat and I have set up a Doodle poll with two possible dates (1 hour slots at the bi-weekly OAuth

Re: [OAUTH-WG] MTLS vs. DPOP

Hi Ben, > I've forgotten the details of those two documents, but in the general case, > if there's a WG document that is no longer actively being worked on (or is > now believed to be a bad idea), the chairs can pretty easily get a new rev > posted that has a "tombstone" notice, like "this

Re: [OAUTH-WG] MTLS vs. DPOP

George, > I don't see them the same at all. With MTLS, the token is bound to the > transport layer (and the key used to establish that encrypted connection). > With DPOP, the token is bound to the private key known to the client. Strictly speaking both solutions tie the token to the public key

Re: [OAUTH-WG] OAuth security topics

eroperable profile (slides: https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx<https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> ) - got early feedback from Filip Skokan on it. Thx Filip! *

Re: [OAUTH-WG] MTLS and Native apps Best practices

Hi Phil I believe this is a question that William and John may be able to answer. Should MTLS be added to a future version of the Native Apps BCP? If the answer is “no”, why not? Ciao Hannes From: OAuth On Behalf Of Phil Hunt Sent: Donnerstag, 2. Mai 2019 20:41 To: oauth Subject:

Re: [OAUTH-WG] Formal analysis of draft-ietf-oauth-pop-key-distribution

Hi Ben, currently we don't seem to have an indication that there is an attack possible. It would be interesting to see whether we could still construct one. Maybe you can dig out other protocols that have tried to accomplish similar goals (and failed). Ciao Hannes -Original Message-

[OAUTH-WG] MTLS vs. DPOP

Hi all, In the OAuth conference call today Vittorio mentioned that some folks are wondering whether DPOP is essentially a superset of MTLS and whether it makes sense to only proceed with one solution rather potentially two. I was wondering whether others in the group have a few about this

[OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

Hi all, this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' document following the positive feedback at the last IETF meeting in Prague. Here is the document: https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00 Please let us know by April 22nd whether you

Re: [OAUTH-WG] Possible help with product design

Hi Milind, while there are lots of people on this list with hands-on experience with OAuth 2.0 the purpose of this mailing list is primarily for discussions related to the specifications developed by the OAuth working group. Here you can find our active working group specifications:

Re: [OAUTH-WG] Question regarding RFC 7800

Hi Robert, the work on RFC 7800 has been completed from the point of view of the OAuth working group. As Ludwig mentioned below, it is being used by other working groups in the IETF but also by companies as-is. Even in the OAuth working group we have other documents that build on top of it,

[OAUTH-WG] Early IANA registration for Token Exchange Draft

Hi all The authors of the token exchange draft asked IANA for an early registration of URIs and parameters, token types, claims, etc. IANA asked me for review and I unfortunately do not know (or remember) why this early registration is needed. Any reason to do this early registration? Ciao

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-06.txt

: OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution Authors : John Bradley Phil Hunt Michael B. Jones Hannes Tschofenig Mihaly Meszaros Filename

[OAUTH-WG] Re-sending "Conclusion ... OAuth Security Topics -- Recommend authorization code instead of implicit"

I am re-sending the conclusion summary email following the discussion about the implicit grant, as discussed in the OAuth WG meeting in Prague today. https://mailarchive.ietf.org/arch/msg/oauth/mLWi6wji31qOkciSgPjXPK98ydc Ciao Hannes IMPORTANT NOTICE: The contents of this email and any

[OAUTH-WG] draft-ietf-oauth-pop-key-distribution-06

Well. I made a mistake with version -05. Now there is a version -06 Ciao Hannes From: OAuth On Behalf Of Hannes Tschofenig Sent: Montag, 11. März 2019 13:52 To: oauth Subject: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-05 I just submitted -05 of the draft. The updates are limited

[OAUTH-WG] draft-ietf-oauth-pop-key-distribution-05

I just submitted -05 of the draft. The updates are limited to author info updates and minor editorial nits. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender

Re: [OAUTH-WG] Resource Indicators - IPR Disclosure

I am not aware of any IPR related to this document. From: Rifaat Shekh-Yusef Sent: Montag, 25. Februar 2019 22:15 To: Brian Campbell Cc: draft-ietf-oauth-resource-indicat...@ietf.org; oauth Subject: Re: [OAUTH-WG] Resource Indicators - IPR Disclosure Authors, Since the draft was updated

Re: [OAUTH-WG] New User-Managed Access (UMA) drafts

A big thanks to the UMA team for this contribution. I am looking forward to the presentation and discussion at the next IETF meeting. Ciao Hannes From: OAuth On Behalf Of Eve Maler Sent: Mittwoch, 13. Februar 2019 23:01 To: oauth@ietf.org Subject: [OAUTH-WG] New User-Managed Access (UMA)

[OAUTH-WG] Reminder - FW: 4th OAuth Security Workshop - Registration now open!

A short reminder to submit your paper and/or tutorial for the upcoming OAuth Security workshop. From: OAuth On Behalf Of Daniel Fett Sent: Donnerstag, 7. Februar 2019 16:03 To: oauth@ietf.org Subject: [OAUTH-WG] 4th OAuth Security Workshop - Registration now open! All, The registration for

  1   2   3   4   5   6   7   8   >