Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls

Is there an intention that any semantics are attached to the SAN being a URI or DNS name or IP or ...? Or is it still intended to be an opaque identifier? > On 6 Nov 2018, at 01:55, Brian Campbell > wrote: > > Thanks Evan for bringing this to the WG's attention. More or less the same > questi

Re: [OAUTH-WG] AS Discovery in Distributed Draft

The need is in the distributed OAuth draft, which has more detail of its use case. The problem with using either the token or authorization endpoint as the sole identity of the auth server is that Oauth doesn’t stick to just one of them and there’s no solid way to tie them together apart from AS

Re: [OAUTH-WG] AS Discovery in Distributed Draft

Is there a need for a client to understand the identity of an authorization server? This would seem to mean that the token or authorization endpoint would need to be that identity, rather than the issuer (since now the metadata might not be from an authoritative location) -DW > On Nov 5, 2018

[OAUTH-WG] AS Discovery in Distributed Draft

In the meeting tonight I brought up a response to the question of whether to have full URL or plain issuer for the auth server in the RS response’s header. My suggestion was that we have two different parameters to the header to represent the AS: one of them being the full URL (as_uri) and one o

Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls

Thanks Evan for bringing this to the WG's attention. More or less the same question/issue was raised yesterday in the area director's review of the document as well. I plan to bring this up as a discussion item in the meeting today. But my sense from some early discussions is that there is likely t

[OAUTH-WG] Mail regarding draft-ietf-oauth-mtls

Hello everyone. Very excited to see this draft. It helps tremendously in addressing use cases around oauth client management in machine-to-machine scenarios. Particularly, the PKI authentication method. In reviewing the document, I noticed that the only supported method for identifying a client u

[OAUTH-WG] OAuth Security Workshop 2019 - Save the Date!

Hi all, it has become a tradition to conduct an OAuth Security Workshop once a year. This time it is taking place March 20–22, 2019 (just before IETF-104 in Prague), in Stuttgart/Germany, and is hosted by the Institute of Information Security (SEC) at the University of Stuttgart. And here is

Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp

Hi Eric. Thanks again for your review. https://github.com/yaronf/I-D/pull/24 is intended to address your review comments. Text changes made to address each of your comments are listed below. From: OAuth On Behalf Of Eric Rescorla Sent: Monday, August 27, 2018 4:03 AM To: oauth Subject: [OAU