Hannes Tschofenig
2016-04-01 16:00:13 UTC
Hi all,
based on the feedback I have updated the meeting agenda.
Here is the new proposal:
https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth
Ciao
Hannes
---------------------
IETF 95 OAuth Meeting Agenda
Wednesday, 10:00-12:30
Chairs: Hannes Tschofenig/Derek Atkins
- Status Update (Hannes, 5 min)
(a) Informal OAuth Security Workshop (December 2015)
(b) OAuth Security Workshop (July 2016)
(c) Re-chartering
(d) "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" as RFC
*** WG Documents ***
- OAuth 2.0 Mix-Up Mitigation (Hannes, 45 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
Presentation about the problems/threats we are solving:
(a) OAuth Mix-Up (John)
(b) Cut-and-paste Attack (Nat)
Move cut-and-paste threat to a different document?
- OAuth Discovery (45min)
What are the use cases the discovery document is solving?
OAuth 2.0 Authorization Server Discovery Metadata (Mike, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/
OAuth Response Metadata (Nat, 15min)
https://datatracker.ietf.org/doc/draft-sakimura-oauth-meta/
OAuth 2.0 Bound Configuration Lookup (Phil, 15min)
https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00
- Token Exchange (Brian, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
What has been done and discuss open issues?
Implementation status? Interoperability?
- OAuth 2.0 for Native Apps (William, 15 min)
http://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
Presentation of availability of code. Moving the document to WGLC as
soon as enough people did interop tests.
*** Non-WG Documents ***
- Resource Indicators for OAuth 2.0 (Brian/John, 15 min)
https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/
*** Not Discussed ***
- Authentication Method Reference Values document published.
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
- Proof-of-Possession
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
- OAuth 2.0 JWT Authorization Request (JAR)
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
Why is the document important? (related to mix-up attack)
After the WGLC is the document ready?
- OAuth 2.0 Security: Closing Open Redirectors in OAuth
https://datatracker.ietf.org/doc/draft-ietf-oauth-closing-redirectors/
Haven't received more feedback. WGLC?
- OAuth 2.0 Device Flow
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
Compare the document with current deployment and provide feedback.
Mike to send feedback from the Microsoft team.
- Conclusion (Hannes, 10 min)
based on the feedback I have updated the meeting agenda.
Here is the new proposal:
https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth
Ciao
Hannes
---------------------
IETF 95 OAuth Meeting Agenda
Wednesday, 10:00-12:30
Chairs: Hannes Tschofenig/Derek Atkins
- Status Update (Hannes, 5 min)
(a) Informal OAuth Security Workshop (December 2015)
(b) OAuth Security Workshop (July 2016)
(c) Re-chartering
(d) "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" as RFC
*** WG Documents ***
- OAuth 2.0 Mix-Up Mitigation (Hannes, 45 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
Presentation about the problems/threats we are solving:
(a) OAuth Mix-Up (John)
(b) Cut-and-paste Attack (Nat)
Move cut-and-paste threat to a different document?
- OAuth Discovery (45min)
What are the use cases the discovery document is solving?
OAuth 2.0 Authorization Server Discovery Metadata (Mike, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/
OAuth Response Metadata (Nat, 15min)
https://datatracker.ietf.org/doc/draft-sakimura-oauth-meta/
OAuth 2.0 Bound Configuration Lookup (Phil, 15min)
https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00
- Token Exchange (Brian, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
What has been done and discuss open issues?
Implementation status? Interoperability?
- OAuth 2.0 for Native Apps (William, 15 min)
http://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
Presentation of availability of code. Moving the document to WGLC as
soon as enough people did interop tests.
*** Non-WG Documents ***
- Resource Indicators for OAuth 2.0 (Brian/John, 15 min)
https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/
*** Not Discussed ***
- Authentication Method Reference Values document published.
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
- Proof-of-Possession
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
- OAuth 2.0 JWT Authorization Request (JAR)
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
Why is the document important? (related to mix-up attack)
After the WGLC is the document ready?
- OAuth 2.0 Security: Closing Open Redirectors in OAuth
https://datatracker.ietf.org/doc/draft-ietf-oauth-closing-redirectors/
Haven't received more feedback. WGLC?
- OAuth 2.0 Device Flow
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
Compare the document with current deployment and provide feedback.
Mike to send feedback from the Microsoft team.
- Conclusion (Hannes, 10 min)