For what it's worth, I was on the call too - until I and Brian left to join the
telechat for the OAuth assertions drafts.
-- Mike
-----Original Message-----
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, October 16, 2014 9:55 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
Participants:
* Brian Campbell
* John Bradley
* Derek Atkins
* Phil Hunt
* William Kim
* Josh Mandel
* Hannes Tschofenig
Notes:
Justin distributed a draft writeup and explained the reasoning behind it. The
intended purpose is to put the write-up (after enough review) on oauth.net. See
attachments. Justin solicited feedback from the conference call participants
and from the working group.
One discussion item was specifically related to the concept of audience
restrictions, which comes in two flavours: (a) restriction of the access token
regarding the resource server and (b) restriction of the id token regarding the
client. Obviously, it is necessary to have both of these audience restrictions
in place and to actually check them.
The group then went into a discussion about the use of pseudonyms in
authentication and the problems deployments ran into when they used pseudonyms
together with a wide range of attributes that identified users nevertheless.
Phil suggested to produce a write-up about this topic.
Finally, the group started a discussion about potential actions for the OAuth
working groups. Two activities were mentioned, namely to produce an IETF draft
of the write-up Justin has prepared as a "formal" response to the problems with
authentication using OAuth and, as a second topic, potential re-chartering of
the OAuth working group to work on some solutions in this area. Hannes
suggested to postpone these discussions and to first finish the write-up Justin
had distributed.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
