Discussion:
[OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
Hannes Tschofenig
2017-02-20 11:02:42 UTC
Permalink
Hi all,

earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).

For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.

Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.

Ciao
Hannes & Derek
Nat Sakimura
2017-03-02 18:55:25 UTC
Permalink
Great!
Post by Hannes Tschofenig
Hi all,
earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).
For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.
Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Nat Sakimura

Chairman of the Board, OpenID Foundation
Torsten Lodderstedt
2017-03-04 18:10:44 UTC
Permalink
Hi Hannes,

just for clarification: as far as I remember the proposal in Seoul was to turn the document into a BCP.

Is this consistent with your expectation?

kind regards,
Torsten.
Post by Hannes Tschofenig
Hi all,
earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).
For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.
Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2017-03-05 23:17:27 UTC
Permalink
A BCP is still assigned a RFC number.

The intent is to have BCP number as well.

EG BCP195’s current instance is RFC 7525.

The intent is to have a BCP series but the process is largely the same as I understand it.

John B.
Post by Torsten Lodderstedt
Hi Hannes,
just for clarification: as far as I remember the proposal in Seoul was to turn the document into a BCP.
Is this consistent with your expectation?
kind regards,
Torsten.
Post by Hannes Tschofenig
Hi all,
earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).
For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.
Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Hannes Tschofenig
2017-03-06 15:05:35 UTC
Permalink
Yes, this matches my understanding of the discussions at the Seoul meeting.
Post by Torsten Lodderstedt
Hi Hannes,
just for clarification: as far as I remember the proposal in Seoul was to turn the document into a BCP.
Is this consistent with your expectation?
kind regards,
Torsten.
Post by Hannes Tschofenig
Hi all,
earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).
For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.
Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...