[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Neil Madden
On 5 Sep 2024, at 05:45, David Waite wrote: > >  > >> On Sep 4, 2024, at 4:27 PM, Neil Madden wrote: >> >>> On 4 Sep 2024, at 22:48, Watson Ladd wrote: >>> >>> I can always grab the cookie jar off the user browser if I have that >>> level of access. >> >> USB access is not privileged, but

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread David Waite
> On Sep 4, 2024, at 4:27 PM, Neil Madden wrote: > > On 4 Sep 2024, at 22:48, Watson Ladd wrote: >> >> I can always grab the cookie jar off the user browser if I have that >> level of access. > > USB access is not privileged, but that’s beside the point. > > Put another way, the phishing-r

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Neil Madden
On 4 Sep 2024, at 22:48, Watson Ladd wrote: > > On Wed, Sep 4, 2024 at 2:46 PM Neil Madden wrote: >> >> >> >> On 4 Sep 2024, at 21:31, Tim Cappalli wrote: >> >>  >>> >>> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the >>> app cannot spoof the rpId? >> >> >> T

[OAUTH-WG] Re: WGLC for SD-JWT

2024-09-04 Thread Watson Ladd
The privacy considerations section does not have enough RFC 2119 language in the Unlinkability section. There is no workable guidance on how to mitigate these risks. Presentation to users is not a workable solution: please learn from how browsers have suffered a lot at this. It's also very prolix.

[OAUTH-WG] Re: Call for adoption - PIKA

2024-09-04 Thread Joseph Salowey
I support adoption. Joe On Wed, Sep 4, 2024 at 7:50 AM Joel Kamp wrote: > I support adoption. > > On Tue, Sep 3, 2024 at 5:49 AM Rifaat Shekh-Yusef > wrote: > >> All, >> >> As per the discussion in Vancouver, this is a call for adoption for the >> *Proof >> of Issuer Key Authority (PIKA) *dra

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Aaron Parecki
A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress branch of the draft that shows how you could support passkeys with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93 While there isn't an RFC for authenticating first-party apps, there is plenty of prece

[OAUTH-WG] Re: WGLC for SD-JWT

2024-09-04 Thread Neil Madden
I haven’t read the latest draft in a lot of detail, but I did check over the cryptographic details again and everything seems reasonable to me. One error I noticed in section 5.2.4.1: "For example, using the digest of the object property Disclosure created above, the Issuer could create the fol

[OAUTH-WG] Re: Call for adoption - PIKA

2024-09-04 Thread Joel Kamp
I support adoption. On Tue, Sep 3, 2024 at 5:49 AM Rifaat Shekh-Yusef wrote: > All, > > As per the discussion in Vancouver, this is a call for adoption for the *Proof > of Issuer Key Authority (PIKA) *draft: > https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ > > Please, reply on the mai

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Neil Madden
I am a bit skeptical about this one. I’m not convinced we should be recommending native UI until/unless we have a really good story around authenticating first-party apps. Without such a story, I don’t think this should be adopted. Unless I’m mistaken, a native UI also rules out WebAuthn/FIDO-b

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Aaron Parecki
I, as an author of this draft, unsurprisingly support adoption. Aaron On Tue, Sep 3, 2024 at 3:47 AM Rifaat Shekh-Yusef wrote: > All, > > As per the discussion in Vancouver, this is a call for adoption for the > First Party Apps draft: > https://datatracker.ietf.org/doc/draft-parecki-oauth-fir

[OAUTH-WG] Re: Call for adoption - PIKA

2024-09-04 Thread Rohan Mahy
A bit late, but I haven't seen any specific outcome yet. I support adoption of PIKA and I am willing to review and implement it. Thanks, -rohan On Tue, Sep 3, 2024 at 3:50 AM Rifaat Shekh-Yusef wrote: > All, > > As per the discussion in Vancouver, this is a call for adoption for the *Proof > of

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Joseph Heenan
Hi I strongly support adoption. Joseph > On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef wrote: > > All, > > As per the discussion in Vancouver, this is a call for adoption for the First > Party Apps draft: > https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/ > > Please, re

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread Daniel Fett
+1 Am 04.09.24 um 15:30 schrieb David Brossard: I support adoption On Tue, Sep 3, 2024 at 4:03 AM Dick Hardt wrote: I support adoption. On Tue, Sep 3, 2024 at 11:47 AM Rifaat Shekh-Yusef wrote: All, As per the discussion in Vancouver, this is a call for

[OAUTH-WG] Re: Call for adoption - PIKA

2024-09-04 Thread Ethan Heilman
I support adoption. If standardized I plan to implement PIKA for use in my OIDC-based cosigner. I would use PIKA in OpenPubkey if OPs supported it. On Tue, Sep 3, 2024 at 6:49 AM Rifaat Shekh-Yusef wrote: > > All, > > As per the discussion in Vancouver, this is a call for adoption for the Proof

[OAUTH-WG] Re: Call for adoption - First Party Apps

2024-09-04 Thread David Brossard
I support adoption On Tue, Sep 3, 2024 at 4:03 AM Dick Hardt wrote: > I support adoption. > > On Tue, Sep 3, 2024 at 11:47 AM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > >> All, >> >> As per the discussion in Vancouver, this is a call for adoption for the >> First Party Apps draft:

[OAUTH-WG] Re: WGLC for SD-JWT

2024-09-04 Thread Dick Hardt
A while ago in an in-person meeting I provided feedback that the introduction was difficult to parse. It still is. A few comments inserted to illustrate. I'll raise my hand to provide alternative text if the authors are interested. /Dick > 1. >