For mix up we have the mix-up mitigation draft, and the question of if the mitigation for the cut and paste attack should stay as part of that or be separate.
There are the two drafts that attempt to prevent leakage of bearer AT by the RS. We don’t necessarily have consensus yet on if this is a real problem that OAuth needs to solve vs the API/Application using OAuth, as OAuth itself doesn’t say anything about how the client learns about the RS other than developer config out of band. I can try and lead all or part of it. John B. > On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.h...@oracle.com> wrote: > > I’m not sure you intend to discuss it in the Mix-up section, but I think we > need time to discuss the correct configuration of clients and the > resource/aud relationship issues (specifically: > draft-campbell-oauth-resource-indicators > <http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> > and draft-hunt-oauth-bound-config > <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>). > > There is apparently overlap with mix-up mitigation (either in reality or > perception), so I think it is important to have a verbal discussion on this > to get to consensus and understanding of the separate issues. > > As for POP-architecture, that has been on hold pending the mix-up discussions > and understanding of dynamic client risks. So, not much need to discuss from > my perspective. > > Thanks, > > Phil > > @independentid > www.independentid.com <http://www.independentid.com/>phil.h...@oracle.com > <mailto:phil.h...@oracle.com> > > > > > >> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig <hannes.tschofe...@gmx.net >> <mailto:hannes.tschofe...@gmx.net>> wrote: >> >> Hi all, >> >> I need your help creating the agenda for the next meeting. We have a 2 >> 1/2 hour slot and many different topics to discuss. I put a strawman >> proposal together but there are various things missing: >> >> * who volunteers to present and to lead the discussion, >> * what time allocation is appropriate, >> * what you are trying to accomplish during the meeting (goals), and >> * what other items would you like to discuss (I know there are various >> items missing from the list). >> >> So, you input is needed! >> >> ------- >> >> IETF 95 OAuth Meeting Agenda >> Wednesday, 10:00-12:30 >> Chairs: Hannes Tschofenig/Derek Atkins >> >> - Status Update (Hannes, 5 min) >> >> - OAuth 2.0 JWT Authorization Request (Nat, 15 min ) >> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ >> <https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/> >> >> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min) >> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ >> >> - Proof-of-Possession (TBD, 35 min) >> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ >> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ >> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ >> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ >> >> - Token Exchange (TBD, 15 min) >> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ >> >> - OAuth 2.0 for Native Apps (William, 15 min) >> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ >> >> - Authentication Method Reference Values (Mike, 15 min) >> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ >> >> - Conclusion (Hannes, 5 min) >> >> ------- >> >> The latest version can be found at: >> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth >> >> Ciao >> Hannes & Derek >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
