Greetings!
I was reviewing:
OAuth 2.0 Attestation-Based Client Authentication
draft-ietf-oauth-attestation-based-client-auth-04
and think there's an opportunity to increase clarity. I assume by
mentioning attestations, the draft means that a key created off of the root
of trust (lik
Greetings!
I believe I volunteered to review the PIKA draft at IETF 120. The version
reviewed:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ is the -01
The problem statement is clear and I appreciate the authors leaving a few
questions open in order to gain consensus views on those pa
On Tue, Feb 23, 2021 at 9:30 AM Roman Danyliw wrote:
> Hi!
>
>
>
> *From:* ietf *On Behalf Of * Bron Gondwana
> *Sent:* Tuesday, February 23, 2021 7:47 AM
> *To:* Rifaat Shekh-Yusef
> *Cc:* i...@ietf.org; oauth@ietf.org
> *Subject:* Re: Diversity and Inclusiveness in the IETF
>
>
>
> On Tue, Fe
at 2:34 PM, Kathleen Moriarty
wrote:
> Hi William,
>
> Thank you for making the updates. Just a few notes inline and I'll
> kick off IETF last call.
>
> On Wed, Apr 26, 2017 at 5:50 PM, William Denniss wrote:
>> Thank you for your review Kathleen.
>>
>> V
g/html/draft-ietf-oauth-native-apps-10
>
> Replies inline:
>
> On Mon, Apr 24, 2017 at 6:47 PM, Kathleen Moriarty
> wrote:
>>
>> Hello,
>>
>> Thanks for taking the time to document this best practice and the
>> implementations in the appendix. I have o
y, but consistency helps in most situations. If this is
specific to an example, that's fine. If the general pattern could be
a URI (not a URL), then just be sure that is clear in the text.
Please let me know when it is ready and I'll start the IETF last call.
Thanks,
Kathleen
>
>
Hello,
Thanks for taking the time to document this best practice and the
implementations in the appendix. I have one comment and a few nits.
Security Considerations:
I think it would go a long way to organize these as ones that apply to
this best practice and ones (8.1 and the example in 8.2) abo
Hello,
If you are interested in charing OAuth, please send a direct message
to Stephen, Eric, and me.
A big thank you to Derek for his work in OAuth and we hope to have his
continued participation in the working group!
--
Best regards,
Kathleen
___
used only once, have short validity period, and MUST have large
> enough entropy
>
> + The adequate shortness of the validity and
> + the entropy of the Request Object URI depends
> + on the risk calculation based on the value
> + of the resource being protected.
k you & happy new year!
Kathleen
On Wed, Dec 28, 2016 at 11:27 AM, Kathleen Moriarty <
kathleen.moriarty.i...@gmail.com> wrote:
> Hi Nat,
>
> Thank you for the updates. Please let me know when you publish a new
> version. I'll start last call after the new year. inline.
>
re able to rest a bit!
>
> My responses inline.
>
> On Sat, Oct 29, 2016 at 12:39 AM Kathleen Moriarty <
> kathleen.moriarty.i...@gmail.com> wrote:
>
>> Hello,
>>
>> I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to
>> be a
e described inline.
>
>
>
>-- Mike
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Kathleen
> Moriarty
> *Sent:* Saturday, October 29, 2016 3:51 AM
> *To:* oauth@ietf.org
> *Subject:* [OAU
Hello,
I reviewed draft-ietf-oauth-amr-values and have a few comments. First,
thanks for your work on this draft!
Several of the authentication methods mentioned are typically used (or
recommended for use) as a second or third factor. I see in section 3 that
multiple methods can be contained in
Hello,
I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to be
a nice addition to help with security. Thanks for your work on it.
I only have a few comments.
The first is just about some wording that is awkward in the TLS section.
What's there now:
Client implementations s
Hi Mike,
Thanks for getting these comments addressed prior to the call today!
Barry, thanks for your detailed review!
Kathleen
On Thu, Dec 17, 2015 at 5:24 AM, Mike Jones wrote:
> Proof-of-Possession Key Semantics for JWTs draft -10 was published for
> consideration on the IESG telechat later
Thank you!
Sent from my iPhone
> On Dec 13, 2015, at 11:33 PM, Mike Jones wrote:
>
> Done in -09.
>
> -Original Message-
> From: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
> Sent: Sunday, December 13, 2015 8:09 PM
> To: Mike Jones
>
Thanks again!
>
> -- Mike
>
>
>
> From: Manger, James [mailto:james.h.man...@team.telstra.com]
> Sent: Sunday, December 13, 2015 8:04 PM
> To: Mike Jones ; Kathleen Moriarty
> ; oauth@ietf.org
> Subject: RE: [OAUTH-WG] impl
"use":"sig",
>"crv":"P-256",
>"x":"18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM",
>"y":"-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"
> }
> }
> }
>
> --
Hi,
Are there any implementations of draft-ietf-oauth-proof-of-possession?
Thanks!
--
Best regards,
Kathleen
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
; --
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3904
>
> --
> Status: Verified
> Type: Editorial
>
> Reported by: Takahiko Kawasaki
&g
>> on the redirect URI with additional parameters,
>> so the redirect_uri value is only part of the response URI.
>>
>> I think his wording is better, but what is there is not strictly speaking
>> wrong.
>>
>> It is in non normative text, and the normat
Hi,
What do we do with the following errata, I don;t see any prior list responses:
https://www.ietf.org/mail-archive/web/oauth/current/msg14033.html
Thank you!
--
Best regards,
Kathleen
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mai
istry. I'll put it
down as editorial since the registry is normative.
Thanks!
Kathleen
>
> John B.
>
>> On Dec 8, 2015, at 12:47 PM, Kathleen Moriarty
>> wrote:
>>
>> Hi,
>>
>> I'm inclined to reject the following errata on 2 counts:
>>
Hi,
I'm inclined to reject the following errata on 2 counts:
error_description is already included int he registry and adding a new
entry involves a 'specification required' and a review period on the
email list for that registry.
Should there be a specification for this? It looks the same as
e
].
>
>
> Phil
>
> @independentid
> www.independentid.com
> phil.h...@oracle.com
>
> On Dec 1, 2015, at 10:35 AM, Phil Hunt wrote:
>
> Thanks Justin. Your tweaks look good to me.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.h...@oracl
are characteristics shared with bearer tokens and more information on
>best practices can be found in [RFC6819] and in the security
>considerations section of [RFC6750].
>
> If this looks good to the group, I’ll post draft 7 this afternoon
> (pacific).
>
> Thanks,
>
> Phi
guity that you're referring to, when the situation for JWT implementers
> is actually unambiguous.
>
> How would you like to proceed?
>
> -- Mike
>
> -Original Message-
> From: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
> Se
cryptographic protection (such as signature or encryption) or use of
>
>a reference value with sufficient entropy and associated secure lookup.
>
>These are characteristics shared with bearer tokens and more information
>
>on best practices can be found in [[RFC6819
what it's worth, I don't remember any DISCUSSes on this topic (although
>> it's possible that your memory is better than mine on this point).
>>
>> Best wishes,
>> -- Mike
>>
>> -Original Mes
Hi,
Sent from my iPhone
> On Nov 25, 2015, at 3:20 PM, John Bradley wrote:
>
> Tokens are signed or the information is otherwise integrity protected between
> the AS and the RS.
>
> I suspect Kathleen is concerned about the key getting modified in transit.
> That needs to be protected ag
(although
> it's possible that your memory is better than mine on this point).
>
>Best wishes,
>-- Mike
>
> -Original Message-
> From: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
> Sent: Tuesday, November 24,
r implementers and will lead to issues with
interoperability.
Thanks,
Kathleen
>
> -- Mike
>
> -Original Message-
> From: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
> Sent: Tuesday, November 24, 2015 6:41 PM
> To: Mike Jones
> Cc:
un...@ietf.org] On Behalf Of Kathleen
>> Moriarty
>> Sent: Tuesday, November 24, 2015 9:44 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
>>
>> Hi,
>>
>> Thank you all for your work on this draft! I just h
27;d like to start IETF last
call soon on this and the architecture draft (as in this week soon).
Thanks,
Kathleen
>
> — Justin
>
>> On Nov 24, 2015, at 12:44 PM, Kathleen Moriarty
>> wrote:
>>
>> Hi,
>>
>> Thank you all for your work on this draft!
Thanks, Phil. Hopefully we can wrap up that discussion soon as well.
Best regards,
Kathleen
On Tue, Nov 24, 2015 at 3:07 PM, Phil Hunt wrote:
> This draft addresses review comments from Kathleen and Erik raised since the
> last draft.
>
> It may not include some of the discussion from yesterda
Hi,
Thank you all for your work on this draft! I just have a few questions:
1. Security considerations section says:
"All of the normal security issues, especially in relationship to
comparing URIs and dealing with unrecognized values, that are
discussed in JWT [JWT] also apply here."
I
nyone believe that we nonetheless need to
>> do an update to the draft? If so, can you supply proposed wording or at
>> least the gist of the additional ideas that you'd like to have conveyed.
>>
>>Best wishes,
>>-- Mike
&g
Hi,
This draft was tossed over the fence to me, but it seems that there
may be a few open questions that remain. Use of HSM and TPMwere
raised in this tread and not addressed in the current draft version.
Is guidance needed for nested JWTs? If not, why?
In a separate thread, JWK is mentioned,
after that.
I think we are good now! Thanks.
Kathleen
>
> Phil
>
>> On Nov 20, 2015, at 08:27, Kathleen Moriarty
>> wrote:
>>
>> I'm re-reading to make sure this would be okay at this stage and have
>> some suggestions.
>>
>>
entid.com
> phil.h...@oracle.com
>
>> On Nov 16, 2015, at 12:37 PM, Kathleen Moriarty
>> wrote:
>>
>> Hello,
>>
>> I reviewed draft-ietf-oauth-pop-architecture and have a few questions.
>>
>> 1. Section 6, Threat Mitigation:
>>
>> Last
I'm re-reading to make sure this would be okay at this stage and have
some suggestions.
Could 3.2 cover TLS and DTLS? Then you don't need to state COSE/CBOR
specifically in this section but it hints at applicable IoT use cases
and isn't a big change since OAuth could be used in scenarios with
DTL
Hello,
I reviewed draft-ietf-oauth-pop-architecture and have a few questions.
1. Section 6, Threat Mitigation:
Last sentence of first paragraph, "To
simplify the subsequent description we assume that the token itself
is digitally signed by the authorization server and therefore cannot
b
Yes, nice job!
Sent from my iPhone
> On Oct 21, 2015, at 4:20 AM, Hannes Tschofenig
> wrote:
>
> Thank you Justin for the hard work!
>
>> On 10/20/2015 06:32 PM, Justin Richer wrote:
>> Thank you to everyone who helped make token introspection into a real
>> standard!
>>
>> — Justin
>>
>>>
web/oauth/current/msg14305.html in which he
>> wrote "Is this proposal also limited to a single key for both asymmetric and
>> symmetric?". This is pertinent because as I wrote in the first thread
>> mentioned at
>> http://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "Part of
>&g
On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones
wrote:
> There didn’t seem to be support for having cnf contain array values.
> Instead, as discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC
> followup 3 (was Re: confirmation model in proof-of-possession-02)”, if
> different keys are bein
Hey Barry,
>From my observations with Facebook, it now has options added for you to
select what resources from Facebook will get shared when authorizing access
to other applications. You can click on each of the possibilities and
strip it down. It appears to me that Facebook is managing that, so
d 'Curent'.
>
> On Fri, Jul 10, 2015 at 9:33 AM, Kathleen Moriarty <
> kathleen.moriarty.i...@gmail.com> wrote:
>
>> Thanks, Brian!
>>
>> William? Are you good with this version?
>>
>> On Fri, Jul 10, 2015 at 12:11 PM, Brian Campbell &
of Barry’s discuss
>> points.
>> They were comments on the changes that Barry introduced that caused a
>> inconsistency. I resolved that in 15.
>>
>> I think it is good to go.
>>
>>
>> On Jul 10, 2015, at 12:29 PM, Kathleen Moriarty <
>>
John,
The updates were included in the version I approved for posting that also
addressed Barry's discuss points, correct?
Are we good with the current version to move forward:
https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/
Thank you,
Kathleen
On Thu, Jul 9, 2015 at 2:46 PM, John Bradl
Thanks for your responses on these comments.
I can approve an updated draft to make this change and the one for IANA if
that is the easiest path. The other option is to write this all up in an
RFC editor note and I can send that with the approval. Making the direct
updates may be simpler to avoi
On Tue, Jul 7, 2015 at 3:43 PM, Kathleen Moriarty <
kathleen.moriarty.i...@gmail.com> wrote:
> I'm just catching up on this tread, but would appreciate an in-room
> discussion on this topic that doesn't assume the adopted draft has the
> agreed upon approach as I am
I'm just catching up on this tread, but would appreciate an in-room
discussion on this topic that doesn't assume the adopted draft has the
agreed upon approach as I am not reading that there is consensus on that
approach in this thread at all.
Could we see presentations on Mike's draft and Brian's
Hi,
I haven't seen a response on this yet. Please respond to discuss the
issues pointed out by Alissa.
Thank you,
Kathleen
On Mon, Jun 8, 2015 at 12:40 PM, Alissa Cooper wrote:
> Alissa Cooper has entered the following ballot position for
> draft-ietf-oauth-introspection-09: Discuss
>
> When
Hi Barry,
Thanks very much for your detailed review. I have one comment inline.
On Mon, Jun 8, 2015 at 8:36 AM, Barry Leiba wrote:
> Barry Leiba has entered the following ballot position for
> draft-ietf-oauth-introspection-09: No Objection
>
> When responding, please keep the subject line int
gt;
> John B.
>
>> On Apr 18, 2015, at 12:39 PM, Kathleen Moriarty
>> wrote:
>>
>> Hello,
>>
>> I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said
>> about TLS 1.2 in the security recommendations. I see that it is
Thank you! Once the shepherd and I check the comments to make sure they were
all addressed, we'll progress the draft.
Best regards,
Kathleen
Sent from my iPhone
> On May 5, 2015, at 9:07 PM, Stephen Farrell wrote:
>
>
> Hi Justin,
>
> That's great thanks. I've cleared.
>
> Cheers,
> S.
>
Thank you, both!
On Fri, Apr 24, 2015 at 5:32 PM, Stephen Farrell
wrote:
>
>
> On 24/04/15 22:27, Justin Richer wrote:
> > Stephen, I’ve worked on this this afternoon and this is my proposed text:
> >
> > The response to such a
> >situation is out of scope for this specific
Thanks, guys. Let me know when tis has been addressed.
Kathleen
On Wed, Apr 22, 2015 at 7:35 PM, Mike Jones
wrote:
> I'd be fine adding the BCP 100 reference. I'd rather that we keep the
> early registration procedures language.
>
> -- Mike
>
> -Original Me
ope for this
draft so no one asks why you didn't go deeper.
Let me know once it is ready and I'll kick off last call.
Thanks.
Kathleen
>
>
> -- Justin
>
>
> On 4/19/2015 7:01 PM, Kathleen Moriarty wrote:
>
> Hello,
>
> Thank you for your work on draft-
Hello,
Thank you for your work on draft-ietf-oauth-introspection-07. The security
considerations appear to be addressed well and I was glad to see how a
response is handled when the response code is false, to not reveal
information as to why.
The privacy considerations look good, but I do have a
Hello,
I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be
said about TLS 1.2 in the security recommendations. I see that it is
recommended through RFC6819 that just says:
Attacks can be mitigated by using transport-layer mechanisms such as
TLS [RFC5246]. A virtual priva
Sent from my iPhone
> On Apr 3, 2015, at 3:16 PM, John Bradley wrote:
>
> Yes it is good, though reading that BCP may scare off implementers who will
> just ignore it.
>
> We may still want to give the current advice of >= tls 1.2 at the point of
> publication see BCP xx for additional con
Hi Justin,
I believe you said there was some pending updates for the dyn-reg draft for
which there is already a ballot. If that's correct, please go ahead and
post the updated version. If I am wrong and we are just waiting on the
management one, I'll add the ballot once you let me know the poste
Hi Hannes,
Sent from my iPhone
> On Mar 3, 2015, at 4:50 AM, Hannes Tschofenig
> wrote:
>
> Hi Kathleen,
>
> the statement about the IANA actions in the shepherd writeup are indeed
> incorrect. I updated the writeup.
Thank you!
>
>>>IANA Considerations:
>>>The shepherd repor
ed to know more on my questions from the shepherd report
in my initial message. I think this should be easy to resolve so we can
progress the draft.
Thanks,
Kathleen
On Thu, Feb 26, 2015 at 11:54 AM, Kathleen Moriarty <
kathleen.moriarty.i...@gmail.com> wrote:
> Hi Justin,
>
>
the client to a specific user I could very
> >> well imagine that the correlation between activities from a user and
> >> those from the client (particularly when the client is running on the
> >> user's device) is quite possible.
> >>
> >> Ciao
>
Thank you, Hannes.
I'll do a quick review of changes and if everything looks good, I'll start
IETF last call.
On Mon, Mar 2, 2015 at 10:06 AM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:
> Hi all,
>
> I have updated the shepherd write-up for version 24 of the dynamic
> client registrat
Hi Justin,
Thanks for the quick response.
On Thu, Feb 26, 2015 at 11:40 AM, Justin Richer wrote:
> On Feb 26, 2015, at 11:04 AM, Kathleen Moriarty <
> kathleen.moriarty.i...@gmail.com> wrote:
>
>
> Hello,
>
> I reviewed draft-ietf-oauth-dyn-reg-management, which rea
Hello,
I reviewed draft-ietf-oauth-dyn-reg-management, which reads well and I just
have a few questions and suggestions below that would be good to address
prior to IETF last call.
Section 1.3
Bullet D might be easier to read as a list within the bullet.
Section 2
This is something I don't recal
well aware of this specification and is pleased to contribute
> parts of the connect specification that have broader applicability in the
> OAuth community for inclusion in IETF specifications.
>
> John B.
>
>> On Feb 24, 2015, at 8:02 PM, Kathleen Moriarty
>> wrote:
>>
that on to the appropriate IETF legal counsel if they’re not
> already aware of it.
>
> -- Mike
>
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Kathleen Moriarty
> Sent: Tuesday, February 24, 2015 3:08 PM
> To: Hannes Tschofenig
> Cc: oauth@ietf.org
> Subject: Re
ey resurface from day
jobs/travel and we will figure this out.
Thanks,
Kathleen
>
>
> -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Kathleen
> Moriarty
> *Sent:* Tuesday, February 24, 2015 3:08 PM
> *To:* Hannes Tschofenig
> *Cc:* oauth@ie
> Ciao
> Hannes
>
> On 02/18/2015 06:37 PM, Justin Richer wrote:
> > I’ll incorporate this feedback into another draft, to be posted by the
> > end of the week. Thanks everyone!
> >
> > — Justin
> >
> >> On Feb 18, 2015, at 10:30 AM, Kathleen Moria
On Wed, Feb 18, 2015 at 4:45 PM, Sam Hartman wrote:
> >>>>> "Kathleen" == Kathleen Moriarty
> writes:
>
> Kathleen> registry, but setting HTTP Basic as the default seems like
> Kathleen> a really bad choice. HOBA is on it's way t
On Wed, Feb 18, 2015 at 10:07 AM, John Bradley wrote:
> snip
>
> On Feb 18, 2015, at 6:46 AM, Kathleen Moriarty <
> kathleen.moriarty.i...@gmail.com> wrote:
>
> > The client_id *could* be short lived, but they usually aren't. I don't
>> see any part
hleen, thanks for the review. Responses inline, though I'm going to
> let the other authors talk about their sections (deployment org, software
> version, etc) directly.
>
Thanks for the quick responses and sorry about my delay, it's a busy week!
> >
> > On 2/1
t; >>> Subject: Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg
> >>>
> >>>
> >>> Phil
> >>>
> >>> @independentid
> >>> www.independentid.com
> >>> phil.h...@oracle.com
> >>>
> >>> On Feb 11
Thank you for your work on this draft and sorry for the delay in my
review. Before we progress to IETF last call, I'd like to see what we can
resolve from the list below. I am looking at the IPR issues to see if we
can resolve the outstanding questions as well.
The Shepherd report says the foll
gt; lawyer) responded to me.
>
Thanks for the updated info. I'm reviewing the draft and will see what I can
do about getting you a response as this would be good to resolve before IESG
review.
> I updated the write-up!
Thank you!
Kathleen
>
> Ciao
> Hannes
>
>> O
Hi Hannes,
I am going through the shepherd report for draft-ietf-oauth-dyn-reg
and see that this still lists an open question around IPR, has that
been answered and is just a matter of updating the shepherd report?
If not, how can I help resolve these questions?
I also found a nit in #7 that you
Hi Hannes,
When something is written up and agreed upon, I'd recommend that we
tweet about it in force to get the writeup some attention in an effort
to help prevent this in the future. I could blog about it in the IESG
blogs too if helpful.
On Mon, Dec 1, 2014 at 11:25 AM, Hannes Tschofenig
wr
4 PM, Justin Richer wrote:
>
> Kathleen, thanks for your review. Responses inline.
>
> On Nov 19, 2014, at 9:56 PM, Kathleen Moriarty
> wrote:
>
> Hi,
>
> I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions
> before we move this to IETF last
Hi,
I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before
we move this to IETF last call.
Sect 2, Has there been any consideration in the WG of using alternate auth
methods from HTTPAuth like HOBA? I realize this is referencing Oauth defined
methods from the framework
Hi Brian,
If you could make a quick update, that would be easier to prevent it
from getting lost. The shepherd and I will recheck the draft and then
I'll move it forward.
Thanks for all of your work on this!
Kathleen
On Wed, Nov 12, 2014 at 12:05 PM, Brian Campbell
wrote:
> Forwarding this to
-- Mike
>
>
>
> From: Mike Jones [mailto:michael.jo...@microsoft.com]
> Sent: Tuesday, October 14, 2014 5:45 AM
> To: Alissa Cooper
> Cc: Kathleen Moriarty; The IESG; oauth-cha...@tools.ietf.org;
> draft-ietf-oauth-json-web-to...@tools.ietf.org; oauth@ietf.org
&
Hi,
This comes up every once in a while, but as long as you don't use the same
password for the mailing lists as other places, there really is no threat.
If someone else posted as you, just complain and it gets addressed.
The only other risk I can think of would be someone removing you from t
On Tue, Oct 21, 2014 at 9:16 AM, Stephen Farrell
wrote:
>
> Hi Mike,
>
> I've one remaining discuss point and a comment. See below...
>
> On 14/10/14 13:50, Mike Jones wrote:
> > The proposed resolutions below have been included in the -28 draft.
> Hopefully you'll be able to clear your DISCUSSes
Thanks, Richard & Mike!
Sent from my iPhone
> On Oct 18, 2014, at 2:58 PM, Richard Barnes wrote:
>
> Dude, I cleared on the 10th :)
>
>> On Tue, Oct 14, 2014 at 5:53 AM, Mike Jones
>> wrote:
>> The proposed resolution below has been incorporated in the -28 draft.
>> Hopefully you can clear
I just caught up on the thread again and think Brian's message below may be the
most helpful to resolve this discuss.
It sounds like we have agreement that a MUST is preferred for bearer tokens and
that's what this draft is about. Would a language tweak help when HoK is
mentioned? The WG wi
On Thu, Oct 16, 2014 at 5:39 PM, Brian Campbell
wrote:
> Hiya in return and inline below...
>
> On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell <
> stephen.farr...@cs.tcd.ie> wrote:
>
>>
>> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the
>> JOSE one has only H256 as required.
Thanks, Benoit. I'll double check this before the draft progresses.
Thanks,
Kathleen
Sent from my iPhone
> On Oct 16, 2014, at 8:33 AM, "Benoit Claise" wrote:
>
> Benoit Claise has entered the following ballot position for
> draft-ietf-oauth-saml2-bearer-21: No Objection
>
> When responding,
Mike,
Are you about ready to post an update so we can clear some of the discusses and
comments that have been agreed to (like the comment added below when the
discuss of Richard's was removed)?
It will help ADs if we are able to reduce and work on the rest. I find sooner
rather than later to
Thank you, both! I'm glad to see this one resolved.
FYI - I'll be at the Grace Hopper Celebration through Friday evening and
may be slow to respond, but will be following along.
On Tue, Oct 7, 2014 at 9:06 PM, Mike Jones
wrote:
> > -Original Message-
> > From: Ted Lemon [mailto:ted.le..
On Thu, Oct 2, 2014 at 11:14 AM, Mike Jones
wrote:
> Responding to the DISCUSS below…
>
>
>
> -Original Message-
> From: Alissa Cooper [mailto:ali...@cooperw.in]
> Sent: Wednesday, October 01, 2014 12:25 PM
> To: The IESG
> Cc: oauth-cha...@tools.ietf.org;
> draft-ietf-oauth-json-web-to.
in Section 6.3.1 of the Assertion Framework for OAuth 2.0
> Client Authentication and Authorization Grants
> [*http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1
> <http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1>*
> ].
>
>
> On
t;> Deployments should determine the minimum amount of information necessary
>>>> to complete the exchange and include only such claims in the JWT. In some
>>>> cases the "sub" (subject) claim can be a value representing an anonymous
>>>> or pseudon
the Subject
> can be a value representing an anonymous or pseudonymous user as described in
> Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication
> and Authorization Grants
> [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1].
>
Hello,
I just finished my review of
http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer. The draft
looks great, thank you for all of your efforts on it!
I did notice that there were no privacy considerations pointing back to
RFC6973, could that text be added? The draft came after the
Hello,
I just read through draft-ietf-oauth-jwt-bearer-09 and it looks good. The
only question/comment I have is that I don't see any mention of privacy
considerations in the referenced security sections. COuld you add
something? It is easily addressed by section 10.8 of RFC6749, but there is
n
Thanks, Mike! In-line...
On Thu, Jul 3, 2014 at 4:03 PM, Mike Jones
wrote:
> Replies inline…
>
>
>
> *From:* Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com]
> *Sent:* Thursday, July 03, 2014 11:56 AM
>
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Sub
1 - 100 of 108 matches
Mail list logo
