I'll take Token Exchange. It'll be a status update and quick look at some open issues. Hope to keep it short.
+1 the characterization of mix-up mitigation. I can also talk about draft-campbell-oauth-resource-indicators, however, maybe it should be part of the somewhat larger conversation that John has kindly volunteered to lead. I realize we can't cover everything but "OAuth 2.0 Authorization Server Discovery Metadata" seems conspicuously absent from the agenda. On Mon, Mar 21, 2016 at 4:31 PM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote: > Hi John, > > > > On 03/21/2016 10:47 PM, John Bradley wrote: > > For mix up we have the mix-up mitigation draft, and the question of if > > the mitigation for the cut and paste attack should stay as part of that > > or be separate. > > That's a good summary. > > > > > There are the two drafts that attempt to prevent leakage of bearer AT by > > the RS. > > > > We don’t necessarily have consensus yet on if this is a real problem > > that OAuth needs to solve vs the API/Application using OAuth, as OAuth > > itself doesn’t say anything about how the client learns about the RS > > other than developer config out of band. > > > > I can try and lead all or part of it. > > I think it is fair that this topic is part of a separate discussion item > on the agenda, as Phil proposed. > > Ciao > Hannes > > > > > John B. > > > >> On Mar 21, 2016, at 8:46 PM, Phil Hunt <phil.h...@oracle.com > >> <mailto:phil.h...@oracle.com>> wrote: > >> > >> I’m not sure you intend to discuss it in the Mix-up section, but I > >> think we need time to discuss the correct configuration of clients and > >> the resource/aud relationship issues > >> (specifically: draft-campbell-oauth-resource-indicators > >> < > http://tools.ietf.org/id/draft-campbell-oauth-resource-indicators-01.txt> > and draft-hunt-oauth-bound-config > >> <http://tools.ietf.org/id/draft-hunt-oauth-bound-config-00.txt>). > >> > >> There is apparently overlap with mix-up mitigation (either in reality > >> or perception), so I think it is important to have a verbal discussion > >> on this to get to consensus and understanding of the separate issues. > >> > >> As for POP-architecture, that has been on hold pending the mix-up > >> discussions and understanding of dynamic client risks. So, not much > >> need to discuss from my perspective. > >> > >> Thanks, > >> > >> Phil > >> > >> @independentid > >> www.independentid.com <http://www.independentid.com/> > >> phil.h...@oracle.com <mailto:phil.h...@oracle.com> > >> > >> > >> > >> > >> > >>> On Mar 21, 2016, at 1:15 PM, Hannes Tschofenig > >>> <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote: > >>> > >>> Hi all, > >>> > >>> I need your help creating the agenda for the next meeting. We have a 2 > >>> 1/2 hour slot and many different topics to discuss. I put a strawman > >>> proposal together but there are various things missing: > >>> > >>> * who volunteers to present and to lead the discussion, > >>> * what time allocation is appropriate, > >>> * what you are trying to accomplish during the meeting (goals), and > >>> * what other items would you like to discuss (I know there are various > >>> items missing from the list). > >>> > >>> So, you input is needed! > >>> > >>> ------- > >>> > >>> IETF 95 OAuth Meeting Agenda > >>> Wednesday, 10:00-12:30 > >>> Chairs: Hannes Tschofenig/Derek Atkins > >>> > >>> - Status Update (Hannes, 5 min) > >>> > >>> - OAuth 2.0 JWT Authorization Request (Nat, 15 min ) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > >>> > >>> - OAuth 2.0 Mix-Up Mitigation (TBD, 45 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ > >>> > >>> - Proof-of-Possession (TBD, 35 min) > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ > >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ > >>> > >>> - Token Exchange (TBD, 15 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ > >>> > >>> - OAuth 2.0 for Native Apps (William, 15 min) > >>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ > >>> > >>> - Authentication Method Reference Values (Mike, 15 min) > >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ > >>> > >>> - Conclusion (Hannes, 5 min) > >>> > >>> ------- > >>> > >>> The latest version can be found at: > >>> https://www.ietf.org/proceedings/95/agenda/agenda-95-oauth > >>> > >>> Ciao > >>> Hannes & Derek > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org <mailto:OAuth@ietf.org> > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
