[OAUTH-WG] Cross-Device Flows Shepherd Write-up - Author Confirmation

Dear authors, please indicate your willingness to be listed as a document author of the Cross-Device Flows draft. Ciao Hannes (As a Document Shepherd) ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org

[OAUTH-WG] Implementation Status of Cross-Device Flows

Hi all, as part of the shepherd write-up for the "Cross-Device Flows" document, we are seeking information about any implementations of this draft (and the technologies referenced in the draft). If you are aware of implementations that adhere to the draft, please let us know. Ciao Hannes (Do

[OAUTH-WG] Cross-Device Flows Shepherd Write-up - IPR Disclosure

Authors, as part of the shepherd write-up, all authors of the Cross-Device Flows draft must confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have been disclosed. Please, reply on the mailing list, and indicate if you

[OAUTH-WG] Re: Status List Feature Request

Hi Steffen, with my chair hat on: Discussions at the OAuth security workshop do not impact decision-making in this group, as the workshop is not an official IETF activity. That said, I wonder if it might make sense to propose the status list extension for X.509 certificates to a group where

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-selective-disclosure-jwt-17

Hannes Tschofenig has requested publication of draft-ietf-oauth-selective-disclosure-jwt-17 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosur

[OAUTH-WG] Re: Status List Feature Request

(chair hat off) Hi Filip, Hi all, this sounds like feature creep to me. I brought this work on status lists to the attention of the IETF LAMPS group, and there was zero interest from the PKI community in this type of solution. The PKIX community already has a wide range of established solutio

[OAUTH-WG] Review comments for SD-JWT

Hi Daniel, Kristina, Brian, here are a few review comments that are easy to address: 1. Complete the IANA registry section for the media type registrations. Search for TBD in that section. As you make this change you might also want to remove the RFC 2119 language from the description fields.

[OAUTH-WG] Re: IPR Disclosure - Selective Disclosure for JWTs (SD-JWT)

Brian, Daniel, Kristina, is it correct that you are willing to be listed as a document author? Ciao Hannes Am 09.02.2025 um 16:02 schrieb Brian Campbell: Thanks Hannes, I am not aware of any IPR associated with the document. On Sun, Feb 9, 2025 at 6:59 AM Hannes Tschofenig wrote

[OAUTH-WG] Implementation Status of SD-JWT

Hi all, as part of the shepherd write-up for the SD-JWT document, we are seeking information about any implementations of this draft. If you are aware of implementations that adhere to the draft, please let us know. Ciao Hannes (Document Shepherd) __

[OAUTH-WG] IPR Disclosure - Selective Disclosure for JWTs (SD-JWT)

Hi Daniel, Kristina, Brian as part of the shepherd write-up, all authors of must confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have been filed. Please, reply to this email, on the mailing list, and indicate if you a

[OAUTH-WG] SD-JWT Shepherd Write-Up

Hi all, I am in the process of working on the shepherd write-up for SD-JWT. You can track my edits here: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/shepherdwriteup/ Ciao Hannes (Document Shepherd) ___ OAuth mailing lis

[OAUTH-WG] Re: Precipitous unreviewed change

Hi Mike, Hi everyone, Rifaat and I requested this change to be made. The PR reverts an earlier modification to the document that was introduced without working group consensus. We plan to use the upcoming virtual interim meeting to discuss the topic of DID resolution—specifically whether it belo

Re: [OAUTH-WG] OAuth Digital Credential Status Attestations

Hi Guiseppe, Francesco, Orie, @Orie: Thanks for sharing the draft. As a quick reaction: It would be good to invent a new term for “attestation” in draft-demarco-status-attestations.html because this term is already widely used in a different context (see RFC 9334). @Guiseppe and Franc

Re: [OAUTH-WG] Relationship between SPICE and OAuth

everything was re-defined in CBOR/COSE. CWT was one of the outcome of that work. The idea was nice but the success was below my expectations. Am 02.11.2023 um 13:23 schrieb Daniel Fett: Hi Hannes, Am 02.11.23 um 12:46 schrieb Hannes Tschofenig: The question to the authors of the SD-JWT &

Re: [OAUTH-WG] Relationship between SPICE and OAuth

be, etc. I consider SD-JWT closer to a finish line then a start line and would not like its progress being slowed down by moving it to another WG at this point of document's lifecycle. I am not in favor of moving SD-JWT work to SPICE WG. Best, Kristina *From:*OAuth *On Behalf Of *Hannes T

Re: [OAUTH-WG] Relationship between SPICE and OAuth

Hi Torsten, Am 01.11.2023 um 17:43 schrieb tors...@lodderstedt.net: Have a missed a posting on this list where you have started a discussion with the WG of whether the drafts shall be moved into SPICE now? Otherwise I’m wondering about the tone of your post. It’s the WG that needs to decide on

[OAUTH-WG] Missing IPR confirmations .... Re: IPR Disclosure - OAuth 2.0 Security Best Current Practice

John & Andrey - please reply to my email below. Ciao Hannes Am 04.10.2023 um 15:41 schrieb Tschofenig, Hannes: Hi Daniel, Torsten, Andrey, John, as part of the shepherd write-up, all authors of must confirm that any and all appropriate IPR disclosures required for full conformance with t

[OAUTH-WG] Relationship between SPICE and OAuth

Hi all, I am a bit puzzled by the response Pam and I received when putting the agenda for the SPICE BOF together. It appears that most people have not paid attention to the discussions during the last few months. Let me try to get you up to speed. So, here is my summary. The OAuth working gr

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

It's unfortunate that the spec does not cite previous work, which the authors and undoubtedly aware of, the same comment was made at the microphone at the last IETF. Orie is right that we have to take prior work into account. I am saying this in response to this call for adoption but it app

[OAUTH-WG] IAB statement on the risks of attestation

Here is an IAB statement relevant to the work we are doing on Client Attestation: https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/ You might recall that I talked about attestation at th

Re: [OAUTH-WG] SD-JWT does not meet standard security definitions

Hi Watson, deploying technologies can be complex because the incentives need to align. Not everything that looks great on paper gets adopted in the time frame or manner we like. In this specific case U-Prove has not been seen excitement in the industry. There are reasons but it is difficult to s

[OAUTH-WG] Attestation for Dynamic Client Registration

Hi all, Jan and I wrote a document that adds **attestation** to the dynamic client registration. Here is the document: https://datatracker.ietf.org/doc/draft-tschofenig-oauth-attested-dclient-reg/ It is pretty simple (if you know something about attestation). Ciao Hannes ___

[OAUTH-WG] Fwd: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)

You might be interested in these discussions on the architecture-disc...@ietf.org regarding a new IAB program focused on identity systems. Here is the link: https://mailarchive.ietf.org/arch/browse/architecture-discuss/ Weitergeleitete Nachricht Betreff:[arch-d] Propos

Re: [OAUTH-WG] Simplification and consolidation of SD-JWT terminology and format

Hi Brian, please note that this is a working group item and you cannot make decisions in a small group with off-line discussions. Hence, I suggest to propose the changes to the list and get support for it. As you know, we need to follow this approach to give everyone in the group a chance to ge

Re: [OAUTH-WG] [IANA #1270467] expert review for draft-ietf-oauth-dpop (oauth-parameters)

Hi Amanda, adding "DPoP" to the OAuth Access Token Types registry is fine as well. Regarding the entries to the "OAuth Access Token Types" registry I have a question: The location should be "resource access error response" rather than "resource error response". If so, then the entries are OK but

Re: [OAUTH-WG] [IANA #1270470] expert review for draft-ietf-oauth-dpop (jwt)

Hi Amanda, I have reviewed the registration request and I approve it. Ciao Hannes Am 12.04.2023 um 07:47 schrieb Amanda Baber via RT: Hi Hannes, Can you also check this JWT registration before Thursday? John's an author, so we would need a review from you. https://datatracker.ietf.org/doc/h

Re: [OAUTH-WG] [IANA #1267318] expert review for draft-ietf-oauth-step-up-authn-challenge (oauth-parameters)

Hi Amanda, I reviewed the request and I approve it. Thanks for the work. Ciao Hannes Am 05.04.2023 um 13:04 schrieb Amanda Baber via RT: Hi Hannes, Have you had a chance to review the OAuth Extensions Error registration in this document? It's on next week's telechat agenda. https://da

Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession (PoP) Security Architecture

Hi Daniel, from the history of the group I think it is fair to say that we can guarantee that there will be further work on this topic. The reason why I agree with Nat is that neither DPoP nor MTLS paint the bigger picture. Ciao Hannes Am 03.04.2023 um 09:20 schrieb Daniel Fett: Hi Nat,

Re: [OAUTH-WG] OAuth WG Agenda @ IETF116

We will schedule virtual interim meetings after IETF#116 to progress topics that need more discussion time. Ciao Hannes Am 21.03.2023 um 19:41 schrieb Rifaat Shekh-Yusef: All, The IESG raised some concerns around the side meetings. For this reason, we are unfortunately *canceling* these meet

Re: [OAUTH-WG] redirect uri and portals

Hi Yannick, Am 07.03.2023 um 14:25 schrieb Yannick Majoros: One possible solution: Store the redirect information in a signed JWT and place the JWT in the state parameter. I don't think this is written somewhere in the security BCP but I think this is a solutions used in the wild by multiple cl

Re: [OAUTH-WG] [oauth-ext-review] [IANA #1261154] expert review for draft-ietf-oauth-rar (OAuth Parameters - OAuth Extensions Error)

This revision is OK. Thanks for all the work. -Original Message- From: oauth-ext-review On Behalf Of Amanda Baber via RT Sent: Friday, December 9, 2022 7:25 PM Cc: wpa...@rhosys.ch; r...@cert.org; oauth@ietf.org; oauth-ext-rev...@ietf.org; Hannes Tschofenig ; bcampb

Re: [OAUTH-WG] [IANA #1261154] expert review for draft-ietf-oauth-rar (OAuth Parameters - OAuth Extensions Error)

Hi all, Thanks for the email, Amanda. I review the IANA consideration request. Only the OAuth Extension Error registration in Section 15.6 of https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar#name-iana-considerations requires some changes. The other, OAuth-related registry entries, ar

Re: [OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt

Thanks for the response, Brian. A few remarks below. From: Brian Campbell Sent: Tuesday, November 29, 2022 11:21 PM To: Hannes Tschofenig Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt Hi Hannes, Though I am yet to officially have my name on the document as a co

[OAUTH-WG] No OAuth WG Virtual Office Hours today

Rifaat and I are unable. Hence, we need to cancel today's call. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other

[OAUTH-WG] draft-ietf-oauth-selective-disclosure-jwt

Hi Daniel, Hi Kristina, Hi Brian, Hi all, Reading through draft-ietf-oauth-selective-disclosure-jwt I was wondering why the document defines new terminology for roles that already exist in OAuth. For example: * Issuer = AS * Holder = Client * Verifier = RS I assume that was done

Re: [OAUTH-WG] [IANA #1230270] expert review for draft-ietf-oauth-jwk-thumbprint-uri (oauth-parameters)

Hi Michelle, This draft correctly adds one entry to the OAuth URI registry. I approve the registration. Ciao Hannes -Original Message- From: Michelle Thangtamsatid via RT Sent: Thursday, May 5, 2022 6:49 PM Cc: Hannes Tschofenig ; oauth@ietf.org Subject: [IANA #1230270] expert review

Re: [OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

Thanks for the clarification, Nicolas. This makes sense to me and thanks for implementing the RAR spec. Ciao Hannes -Original Message- From: Nicolas Mora Sent: Wednesday, May 4, 2022 10:07 PM To: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Rich Authorization

Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-rar-11

Hi Andreii, Thanks for pointing this out. We will incorporate your editorial changes alongside other review comments from the IESG and various directorates. Ciao Hannes -Original Message- From: Andrii Deinega Sent: Wednesday, May 4, 2022 9:22 PM To: Hannes Tschofenig via Datatracker

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-rar-11

Hannes Tschofenig has requested publication of draft-ietf-oauth-rar-11 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ ___ OAuth mailing

[OAUTH-WG] Updated RAR write-up

Hi all, Thanks for the detailed feedback on the implementation status (Takahiko, Torsten, and Vladimir). I have updated the write-up detailing the implementation status. All authors of draft-ietf-oauth-rar have confirm that any and all appropriate IPR disclosures required for full conformance

Re: [OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

ttps://babelouest.io/glewlwyd/ /Nicolas Le 2022-04-06 à 09 h 46, Hannes Tschofenig a écrit : > Hi all, > > I am working on the shepherd writeup for the RAR document and the IESG > is interested to hear about the implementation status of this specification. > > What implementations are av

[OAUTH-WG] Shepherd writeup for draft-ietf-oauth-rar-10

Hi all, Here is the work in progress version of the shepherd writeup for the draft-ietf-oauth-rar-10: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/shepherdwriteup/ Please take a look at it and let me know if I missed anything. I will ship it to the IESG once all IPR confirmations are ava

[OAUTH-WG] OAuth 2.0 Rich Authorization Requests (RAR): Implementation Status

Hi all, I am working on the shepherd writeup for the RAR document and the IESG is interested to hear about the implementation status of this specification. What implementations are available that use the RAR functionality or are vendors planning to implement this specification? Ciao Hannes IM

[OAUTH-WG] IPR Disclosures - OAuth 2.0 Rich Authorization Requests

Authors, as part of the shepherd write-up, all authors of draft-ietf-oauth-rar must confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. Please, reply to this email on the mailing list and indicate if

Re: [OAUTH-WG] [oauth-ext-review] [IANA #1216704] Expert Review for draft-ietf-oauth-iss-auth-resp (oauth-parameters) (2)

t;. Fortunately, this use is compatible with > > > > that in > > > > draft-ietf-oauth-iss-auth-resp. > > > > > > > > I would be OK with draft-ietf-oauth-iss-auth-resp also registering it > > > > for > > > > usage "authoriz

[OAUTH-WG] draft-ietf-oauth-rar-08 review

Hi all, thanks for writing this document. I have read through it as part of my shepherd writeup and here are a few comments and questions. Generic Comments: As a style issue, it would be good to treat code segments as figures with a figure headings so that references in the text is easier to m

[OAUTH-WG] Canceling OAuth Virtual Office Hours today

Hi all, Since neither Rifaat nor myself are available today, we will cancel the virtual office hours for today. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please noti

[OAUTH-WG] OAuth Proof of Possession Tokens with HTTP Message Signature

Hi all Following the virtual interim meeting discussion last week about "OAuth Proof of Possession Tokens with HTTP Message Signature" my main concern is about the unclear boundary between draft-ietf-oauth-dpop and the OAuth Proof of Pos

[OAUTH-WG] New Doodle Poll for OAuth Virtual Office Hours

Hi all We are running a Doodle poll to find suitable times for our bi-weekly OAuth office hours. Here is the link: https://doodle.com/poll/2tf58dmmhvgi6rrt?utm_source=poll&utm_medium=link Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and

[OAUTH-WG] No OAuth WG Virtual Office Hours today

Hi all, Due to the holiday in the US and in Canada we are skipping the call today. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not di

[OAUTH-WG] No OAuth WG Virtual Office Hours Today

Due to a conflict there is no conference call today. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any oth

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-par-07

Hannes Tschofenig has requested publication of draft-ietf-oauth-par-07 as None on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ ___ OAuth mailing list OAuth@iet

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: Shepherd Write-Up

FYI: If you want to track my shepherd write-up for the "OAuth 2.0 Pushed Authorization Requests" specification then you can find it here: https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_PAR.txt Ciao Hannes IMPORTANT NOTICE: The contents of this emai

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: Implementation Status

Hi all, I am working on the shepherd writeup and I need information about the implementation status of this specification. Can you share whether you are implementing, or planning to implement this specification? If there is open source, please drop a link to the mailing list. If you implement

[OAUTH-WG] OAuth 2.0 Pushed Authorization Requests: IPR Confirmation

Hi Torsten, Brian, Nat, Dave, Filip, I am working on the shepherd writeup for the "OAuth 2.0 Pushed Authorization Requests" specification. One item in the shepherd template requires me to indicate whether each document author has confirmed that any and all appropriate IPR disclosures requi

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Phil, I am moving this to the OAuth group to avoid confusing the IETF list any further. See my feedback below. From: ietf On Behalf Of Phillip Hallam-Baker Sent: Wednesday, February 24, 2021 6:47 AM To: Kathleen Moriarty Cc: i...@ietf.org; oauth@ietf.org Subject: Re: Diversity and Inclusiv

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

virtual interim meetings. Ciao Hannes PS: This is not a general life advice. There are many things you better skip... From: Bron Gondwana Sent: Tuesday, February 23, 2021 12:51 PM To: Hannes Tschofenig ; i...@ietf.org Cc: oauth@ietf.org Subject: Re: Diversity and Inclusiveness in the IETF Without

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Bron, I have to respond to your statements about the OAuth working group below. While we do not pay attention to keeping the charter page up-to-date, we have been able to advance our documents, produce many implementations, and got those deployed all over the Internet. The bar for acceptanc

[OAUTH-WG] PAR Shepherd Review

Hi all, I am in the process of writing my shepherd write-up for the PAR document and wanted to make sure that I properly understand the document. The introduction says: " This document [PAR] complements JAR by providing an interoperable way to push the payload of an authorization request

[OAUTH-WG] Publication has been requested for draft-ietf-oauth-access-token-jwt-10

Hannes Tschofenig has requested publication of draft-ietf-oauth-access-token-jwt-10 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-access-toke

[OAUTH-WG] FW: JWT Secured Authorization Request (JAR): IPR Confirmation

FYI: I am not sure whether this email made it to the mailing list From: Nat Sakimura Sent: Tuesday, September 22, 2020 7:44 AM To: John Bradley Cc: Hannes Tschofenig ; Mike Jones ; oauth@ietf.org Subject: Re: JWT Secured Authorization Request (JAR): IPR Confirmation I know of no IPR, and make

[OAUTH-WG] FW: Subject claim ... was : About draft-ietf-oauth-access-token-jwt-10

<mailto:denis.i...@free.fr> Sent: Thursday, September 24, 2020 9:18 AM To: Hannes Tschofenig <mailto:hannes.tschofe...@arm.com>; vittorio.berto...@auth0.com<mailto:vittorio.berto...@auth0.com> Subject: Re: Subject claim ... was : [OAUTH-WG] About draft-ietf-oauth-access-token-jwt

[OAUTH-WG] JWT Secured Authorization Request (JAR): IPR Confirmation

Hi Mike, Nat, John, I am updating the shepherd writeup for the "The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)" specification, see https://tools.ietf.org/id/draft-ietf-oauth-jwsreq-30.txt, and given the changes I need your IPR confirmation again. (Mike joined as

[OAUTH-WG] Implementation Status of "JWT Secured Authorization Request (JAR)"

Hi all Because some procedural issues I have to update the shepherd writeup of the JAR document and I wanted to verify whether the implementations listed in https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_JAR.txt (copied below) are still inline wit

[OAUTH-WG] Updated shepherd writeup for draft-ietf-oauth-access-token-jwt-09

Hi all, I updated the shepherd writeup for draft-ietf-oauth-access-token-jwt-09 and included the links to the implementations distributed on the list. I am sure there are more. While updating the shepherd writeup I noticed that the draft contains a JWT in a style that does not match the format

[OAUTH-WG] Shepherd writeup for the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens -- Information about Implementations

Hi Vittorio, Hi all, I am working on the shepherd writeup for and you can find the latest version here: https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_JWT-Profile-for-AccessTokens.txt I am in need for information about implementations that are con

[OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: IPR Confirmation

Hi Vittorio, I am working on the shepherd writeup for the "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" specification: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08 One item in the template requires me to indicate whether each document author has confirmed that a

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Vittorio, Thanks for the draft update. Responses to your questions are below: From: Vittorio Bertocci Sent: Tuesday, September 15, 2020 8:59 AM To: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Thank you Hannes for the thorough review, and

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

, September 10, 2020 11:41 AM To: Hannes Tschofenig Cc: Dick Hardt ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Hi Hannes, Thank you for responses. See below. Hi Denis, Hi Dick and Hannes, 1) While reading RFC 7519, no reader may be able to figure out that there

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Denis, Hi Dick and Hannes, 1) While reading RFC 7519, no reader may be able to figure out that there are more than two flavours of the "sub" claim. This draft is introducing two new other favours of the semantics of the "sub" claim which are not present in RFC 7519. When an elemen

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Authorization Protocol (gnap) working group instead. Ciao Hannes From: Dick Hardt Sent: Tuesday, September 8, 2020 6:26 PM To: Denis Cc: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Denis The objective of this document is to standardize the token

[OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Victorio, Hi all, I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions: Section 2: I would delete this sentence "JWT access tokens are regular JWTs complying with the requirements described in this section." Reas

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi Denis, Please see my response below. From: Denis Sent: Wednesday, June 3, 2020 12:12 PM To: Hannes Tschofenig Cc: Rifaat Shekh-Yusef ; Vittorio Bertocci ; oauth@ietf.org Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Hi Hannes

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Let me try to jump in here in order to make a proposal for the text in the privacy consideration section: FROM: 6. Privacy Considerations As JWT access tokens carry information by value, it now becomes possible

[OAUTH-WG] Virtual Interim meeting next Monday, May 18th -- DPOP Discussion

Hi all, As discussed at the last virtual interim meeting call we will add another slot next Monday to talk about DPOP. This is a continuation of the DPOP discussion we had during one of our virtual interim meeting slots. Please find the meeting invite in the calendar. Ciao Hannes & Rifaat IMP

[OAUTH-WG] Meeting info for April 6th

As announced, here is the calendar invite for the virtual interim meeting next Monday. We are going to focus on the following two documents, as previously posted to the list: 1) OAuth Security Topics https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14 Goal: Make it ready for the I

[OAUTH-WG] IETF 107 Virtual OAuth Sessions

Hi all, Rifaat and I had a chat about the virtual interim meetings. We decided to schedule 6 one-hour-long sessions with 2 topics per session. Here is the list of topics we want to discuss: 1) OAuth Security Topics + Browser-Based Apps 2) JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

[OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi all, this is a working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04 Please send you comments to the OAuth mailing list by April 6, 2020. Ciao Hannes & Rifaat IMPORTANT NO

[OAUTH-WG] Meeting Notes (9th March 2020)

Participants: - Roman Danyliw - Torsten Lodderstedt - Travis Spencer - Aaron Parecki - Ben Kaduk - Brian Campbell - Cigdem Sengul - Daniel Fett - David Waite - Filip - Jim Schaad - Justin Richer - Marco Tiloca - Matthew de Haast - Michael Peck - Mike Jones - Phil Hunt - Hannes Tschofenig - Joseph

[OAUTH-WG] Virtual Interim Meeting for the PoP Discussion

Hi all, Here are the details for the virtual interim meeting to discuss the proof-of-possession tokens. Date: March, 9th Time: 6:00 PM - 7:30 PM Monday, (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna Meeting number (access code): 641 458 628 Meeting password: BWsAF9rT We

[OAUTH-WG] Experts for IANA OAuth Registries

Hi all, as part of the standards work on OAuth we have created several registries, see https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml. Adding and modifying entries in that registry often requires expert reviewers to verify changes. We need volunteers to become expert

[OAUTH-WG] Doodle Poll for scheduling a discussion on proof-of-possession tokens

Hi all, at the Singapore IETF meeting we talked about setting time aside for discussing proof-of-possession tokens. To schedule a call we put a Doodle poll together: https://doodle.com/poll/sqhbeeg6knp435ag Please let us know by the end of the week what dates work for you. Ciao Hannes & Rifaat

[OAUTH-WG] Virtual Interim Meeting/Conference Call on Feb. 10th

Hi all, Based on the feedback we have selected Feb, 10th at 6pm CET. In other time zones this is: https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=2&day=10&hour=17&min=0&sec=0&p1=1889&p2=179&p3=137 Meeting link: https://ietf.webex.com/ietf/j.php?MTID=m2d06208053cadb653

[OAUTH-WG] No OAuth Call Today

Due to vacation there is no OAuth call today. We wish you a Happy New Year! Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not d

Re: [OAUTH-WG] Doodle Poll for OAuth Virtual Interim Meeting

p;t=3924 On Mon, Dec 16, 2019 at 11:12 AM Hannes Tschofenig mailto:hannes.tschofe...@arm.com>> wrote: Hi all, at the Singapore IETF meeting we had a discussion about a possible update of RFC 6749 (with the codename of “OAuth 2.1”). A discussion at a side-meeting in Singapore made clear th

Re: [OAUTH-WG] Meeting Minutes

, December 21, 2019 10:59 AM To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Meeting Minutes With respect to Rich Authorization Requests, the minutes state that a call for adoption will be sent to the list. When will this call for adoption being sent to the list? Am 03.12.2019 um 09

[OAUTH-WG] Doodle Poll for OAuth Virtual Interim Meeting

Hi all, at the Singapore IETF meeting we had a discussion about a possible update of RFC 6749 (with the codename of "OAuth 2.1"). A discussion at a side-meeting in Singapore made clear that there is no common view about the goals of such an effort and whether there are other options to reach th

[OAUTH-WG] Meeting Minutes

Here are the meeting minutes from the Singapore IETF meeting: https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03 Tony was our scribe. Thanks! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the int

[OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hi all, this is a working group last call for "OAuth 2.0 Security Best Current Practice". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 Please send you comments to the OAuth mailing list by Nov. 27, 2019. (We use a three week WGLC because of the IETF meet

Re: [OAUTH-WG] Virtual Office Hours

Hi Brian, Hi Lee, the secretary will distribute the information in an “official way”. I expect this to happen in the next few days. Ciao Hannes From: OAuth On Behalf Of Brian Campbell Sent: Mittwoch, 16. Oktober 2019 16:32 To: Lee McGovern Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Virtual Off

[OAUTH-WG] Virtual Interim Meeting - Nov. 4th

Hi all, we would like to hold a virtual interim meeting to discuss the next steps regarding the OAuth 2.0 Security Best Current Practice (https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/) draft. Time would be at our bi-weekly OAuth WG Virtual Office Hours (i.e., 6:00 PM to 6:

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

Thanks for the correction; yes – the most recent version is -02 and I posted an old link. From: Eve Maler Sent: Donnerstag, 12. September 2019 16:16 To: Hannes Tschofenig Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01 I think you mean https://tools.ietf.org/html/draft

[OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

Hi all, We are starting a WGLC on the "OAuth 2.0 Incremental Authorization" draft. You can find the document here: https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-01 Please review the document and provide feedback. The WGLC will end September 25th, 2019. Ciao Hannes & Rifaat IMP

Re: [OAUTH-WG] Virtual Interim Meeting: Doodle Poll

. Because the agenda of the meeting was announced upfront already we believe we cannot change the agenda at this point in time anymore. We will still hold our regular OAuth WG office hour, if anyone wants to chat with Rifaat and myself about OAuth WG business. Ciao Hannes From: Hannes

[OAUTH-WG] Virtual Interim Meeting: Doodle Poll

Hi all, at the Prague IETF meeting we ran a bit out of time during the working group session and therefore we would like to schedule an interim meeting to continue the conversation about UMA. Rifaat and I have set up a Doodle poll with two possible dates (1 hour slots at the bi-weekly OAuth WG

Re: [OAUTH-WG] MTLS vs. DPOP

Hi Ben, > I've forgotten the details of those two documents, but in the general case, > if there's a WG document that is no longer actively being worked on (or is > now believed to be a bad idea), the chairs can pretty easily get a new rev > posted that has a "tombstone" notice, like "this docu

Re: [OAUTH-WG] MTLS vs. DPOP

George, > I don't see them the same at all. With MTLS, the token is bound to the > transport layer (and the key used to establish that encrypted connection). > With DPOP, the token is bound to the private key known to the client. Strictly speaking both solutions tie the token to the public key

Re: [OAUTH-WG] Token Exchange status and Resource Indicators

> > - Can 'audience' be added to 'Resource Indicators for OAuth 2.0'? > > No, that's beyond it's current scope. And it is well past last call in > the WG. But note that a logical identifier can be used as the value of > the resource parameter. The group can define what is in scope of a document an

Re: [OAUTH-WG] OAuth security topics

differences. * I put together a presentation summarizing my findings and suggesting a rough interoperable profile (slides: https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx<https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci

Re: [OAUTH-WG] MTLS and Native apps Best practices

Hi Phil I believe this is a question that William and John may be able to answer. Should MTLS be added to a future version of the Native Apps BCP? If the answer is “no”, why not? Ciao Hannes From: OAuth On Behalf Of Phil Hunt Sent: Donnerstag, 2. Mai 2019 20:41 To: oauth Subject: [OAUTH-WG]

  1   2   3   4   5   6   7   8   9   >