Hi all, Happy New Year!
I thought it would be good to quickly summarize where we are with our work in OAuth as we start into 2015. Late last year we issued a few working group last calls. * SPOP https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ The WGLC was started already in the summer and led to a huge amount of feedback. This lead to an improved draft. Nat, John, Naveen: What is the status of the document? What are the open issues? At a minimum there is the issue with the name of the document since it actually does not propose a proof-of- possession solution. * Token Introspection https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ Justin told me that he believes the document is ready for the IESG. I will do my shepherd write-up and shepherd review of the latest version before I hand it over to Kathleen. * Dynamic Client Registration http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-21 We had a fair amount of discussion about this document on the mailing list in response to my shepherd write-up. A new version of the document has been published and I will have to double-check whether the review comments have been incorporated. Then, the document will be ready for the IESG. * OAuth 2.0 Proof-of-Possession (PoP) Security Architecture http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ We issued a WGLC and received comments, which had not yet been incorporated. The obvious next step is to publish a new version of the document with the comments addressed. There is also the new mailing list <unbearable> and we have to figure out how this aligns with the work we are doing. Info is here: http://www.ietf.org/mail-archive/web/oauth/current/msg13997.html Derek will be the shepherd for that document. I also wanted to produce a short write-up in response to a news story late last year that blamed OAuth for getting things wrong while the real issue is rather with the way how responsibility are distributed among different players in the eco-system. Here is the link to the discussion and the news story: http://www.ietf.org/mail-archive/web/oauth/current/msg13929.html We also have various documents in IESG processing, namely * JWT * Assertion Framework * SAML Bearer Assertion * JWT Bearer Assertion Kathleen asked us to do a final review of the documents to make sure that various review comments have been addressed appropriately. I am planning to have a look at it today. There is also a webinar upcoming, namely about Kantara UMA. This webinar will be a bit different than earlier presentations you have heard about UMA since it will be focused on Internet of Things. This is part of the webinar series we do in the IETF ACE working group. Here is a link to the announcement: http://www.ietf.org/mail-archive/web/oauth/current/msg14015.html Related to the work in this group is the SASL OAuth draft, which is currently in WGLC in the KITTEN working group and you might want to do a quick review of the document: https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-18 Here is the WGLC announcement from the KITTEN chairs: http://www.ietf.org/mail-archive/web/oauth/current/msg14020.html There is also the "authentication in OAuth" topic that we wanted to progress. There is a write-up from Justin available, which will inform the debate, but there was also interest to do something more official in the working group. We discussed this at the last IETF meeting. Also at the last IETF meeting we briefly spoke about the token exchange/token delegation work and I got the impression that there is a bit of confusion about the scope of the work and what functionality should be covered in what document. The last two topics seem to be suitable for conference calls. So, we will try to arrange something to progress these topics. Finally, there is the open redirect Antonio raised in http://www.ietf.org/mail-archive/web/oauth/current/msg13367.html. The attack might be difficult to understand but it is still worthwhile to make an attempt to explain it to a wider audience (and also the mitigation technique). I believe a draft would be quite suitable for this purpose and I have spoken with Antonio about it already. These are the items that come to mind right now. A lot of work ahead of us, as it seems. What is missing from the list? Feedback? Ciao Hannes & Derek
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
