In my earlier email I forgot to include John.
John, I also need your confirmation!
Von: OAuth Im Auftrag von Tschofenig, Hannes
Gesendet: Mittwoch, 4. Oktober 2023 15:41
An: oauth@ietf.org
Betreff: [OAUTH-WG] IPR Disclosure - OAuth 2.0 Security Best Current Practice
Hi Daniel, Torsten, Andrey
Hi all,
as part of the shepherd write-up for the "OAuth 2.0 Security BCP" document,
we are looking for information about implementations of this draft.
Please let us know if there are implementations that follow the recommendations
in the draft.
I know that the document is a bit special due to t
Hi all,
here are some comments as part of my shepherd review of the OAuth Security BCP.
First, I want to send a big "Thanks" to everyone in the group for the work on
this document and to the authors in particular. It has taken us a while to come
up with such an impressive list of security recom
Hi Daniel, Torsten, Andrey,
as part of the shepherd write-up, all authors of
must confirm that any and all appropriate IPR disclosures required for full
conformance with the provisions of BCP 78 and BCP 79 have been filed.
Here is the draft:
draft-ietf-oauth-security-topics-23 - OAuth 2.0 Secur
Hi Denis,
OAuth defines 4 roles, see Section 1.1 of RFC 6749. In the three party model
there is likely a human behind the holder as well.
You can map the OAuth terms to the VC terms, if you like, as follows:
* Issuer: Authorization Server
* Holder: Client
* Verifier: Relying Party
TEEs, Truste
Hi Mike, Hi all,
As part of preparing the shepherd write-up I have read the draft and here are a
few comments.
In general, the draft looks good. The comments are fairly minor.
1. Section 4: JWT Claims
In the first paragraph you write:
"
The Claim Names within a JWT Claims Set MUST be uniq
Hi all,
I am trying to wrap up the assertion documents and I took a look at the meeting
minutes from the Berlin IETF meeting and the actions are as follows:
** John & Torsten: Please post your document review to the list.
** Authors of draft-ietf-oauth-saml2-bearer: Please provide the addition
Hi again,
I also checked the minutes from IETF#87 regarding the JWT and here are the
action items:
** I issued a WGLC, as discussed during the meeting:
http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html
** We got some reviews from James, and Prateek. Thanks, guys!
Here are the
Hi Thomas,
Thanks for sharing.
I am wondering whether you can state a bit more about the theme of the
conference since the topic is incredibly broad.
Ciao
Hannes
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of ext Thomas Hardjono
>
Hi all,
in case we need more conference call dates I took a look at the poll and the
following dates showed up:
- Tue, 3 September 2pm EDT
- Wed, 11 September 2pm EDT
- Thu, 12 September 2pm EDT
- Tue, 17 September 2pm EDT
- Wed, 18 September 2pm EDT
- Wed, 25 September 2pm EDT
- Thu, 26 Septem
Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't
able to walk through all slides). Justin was also able to work out a strawman
proposal based on the discussions last week and we will have a look at it
=MiMyNQ%3D%3D
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
> Sent: Wednesday, August 21, 2013 6:35 PM
> To: oauth mailing list
> Subject: [OAUTH-WG] Dynamic Client Registration Conference Ca
Here is the conference bridge and Webex information.
>From an agenda point of view I guess we should start at a basic level, namely
>with what we have already in the dynamic client registration document (and
>folks may have actually missed it). There are two use cases described in the
>WG docu
Hi Sergey,
The idea of the audience was to provide a way for the client to indicate the
resource server it wants to talk to explicitly rather than overloading the
scope field. We certainly need that capability for the MAC token work.
The audience information is provided when the client intera
Hi Tony,
Could you expand a little bit on those issues:
> 4. Multi-tenant support (single endpoint, multiple services)
What does multiple services mean here in the context of dynamic client
registration?
> 5. Internationalization
Where do you see internationalization play a role here?
>
part of it.
It would be interesting to hear what specifically BlueButton (in terms of use
cases) contributes.
Ciao
Hannes
From: ext Josh Mandel [mailto:jman...@gmail.com]
Sent: Tuesday, August 20, 2013 6:36 PM
To: Phil Hunt
Cc: Tschofenig, Hannes (NSN - FI/Espoo); oauth mailing list
Subject: Re
Hi Phil,
> I think we should start by reviewing use cases taxonomy.
What do you mean by "use cases taxonomy"? What exactly would we discuss under
that item?
>
> Then a discussion on any client_id assumptions and actual requirements
> for each client case. Why is registration needed for each
Hi Eve,
Thanks for pointing to this document. I took a brief look at the use case
section and also followed the link to the original UMA use case page at
http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases
The problem with the write-up is that it does not help us in
Hi Brian,
Regarding progressing the documents here are the next steps:
a) The shepherd needs to read through the documents. I am the shepherd and
I have read through the latest version of the documents yesterday.
b) I will post a short WGLC to the list to solicit any comments on the
o the spec at a later stage or whether there
are some problems with the extensibility story.
Ciao
Hannes
From: ext John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Thursday, June 06, 2013 11:54 AM
To: Tschofenig, Hannes (NSN - FI/Espoo)
Cc: ext Tim Bray; Manger, James H; oauth@ietf.org
Subjec
Because bearer tokens have a stable RFC-numbered spec and are widely
implemented and the registration flow as documented seems like it should work?
-T
That’s the answer for why there is support for bearer tokens but it is not the
answer to why that’s the only supported mechanism.
If we want to
James, this is a very good question particularly since we have a working group
item in progress that provides security properties beyond bearer tokens.
Ciao
Hannes
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of ext
Manger, James H
Sent: Thursday, June 06, 2013 7:06 A
Re-send: my earlier mail seems to have gotten lost.
-Original Message-
From: Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Tuesday, June 04, 2013 2:21 PM
To: 'OAuth@ietf.org'
Subject: Review of the Dynamic Registration Draft
Dear draft authors, Dear working group,
I read t
Dear draft authors, Dear working group,
I read through the dynamic registration draft and here a few observations I
have made:
* The 'Initial Access Token' is really more a developer identifier. If you give
it a different
name then it might be more intuitive for the reader since the current w
Hi all,
As you have seen on the list (see
http://www.ietf.org/mail-archive/web/oauth/current/msg10526.html) I had
a chat with Mike about how to address my comment for the assertion draft
and Mike kindly provided his text proposal (see
http://www.ietf.org/mail-archive/web/oauth/current/msg10529.ht
Hi Nat,
The current text essentially says that the assertion can either be
created by the client (in which case it is self-signed) or it can be
created by some other entity (which is then called the third party token
service). So, this third party could be the authorization server.
Ciao
H
Hi Sergey,
I believe we would make faster progress on security topics if could
focus on listing security requirements we have and what threats we want
to mitigate. The reason why we have not finished this topic is simply
because everyone was just talking about specific (but incomplete)
solutions.
Hi all,
I took a look at version -06 of the assertions draft to see whether some
of the discussions had been reflected in this recent draft update.
I was hoping that there is a bit more explanation of the use case that
motivates the work. Unfortunately, the update does not contain anything
alon
Hi all,
I went through draft-ietf-oauth-revocation-01 to what has changed
between version -00 and -01.
A few minor comments:
Title: maybe you should change it from "Token Revocation" to "Revocation
of OAuth Access and Refresh Tokens" to make it a bit more informative.
The abstract is also a bi
Hi Prateek,
why do you care about the symmetric key case?
Specifying more variants requires more code and decreases
interoperability.
Ciao
Hannes
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of ext prateek mishra
Sent: Tuesday, July 10, 2012 8:42 PM
To:
Hi Bill, the call started at 8pm Helsinki time. You were an hour too late.
Ciao
Hannes
Sent from my Windows Phone
-Original Message-
From: ext William Mills
Sent: 7/9/2012 9:20 PM
To: Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] 'Finishing up design team' Conference Call
Is this
Here a few minor comments:
The specification does not provide a lot of hints for the client when an
error occurs. For example, Section 4.1.1 only says "invalid_client" is
something goes wrong with the assertion processing in case of client
authentication. The same is true for the authorization gra
Hi Mike, Hi Justin,
it would be important to point to a document or some other write-up so that
everyone in the group understands the scope of the work you are proposing to do.
Ciao
Hannes
Sent from my Windows Phone
-Original Message-
From: ext Justin Richer
Sent: 4/13/2012 9:32 PM
To:
Hi all,
this is a Last Call for comments on these three documents:
http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10
http://tools.ietf.org/html/draft-ietf-oauth-assertions-01
http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02
Please have your comments in no later than April 23rd
Hi all,
you may have noticed that a number of events take place next week
related to OAuth:
Sunday: OpenID Connect Workshop
https://oic-workshop-ietf-83.eventbrite.com
Tuesday: ISOC lunch event with the title "Authentication and
Authorization: Next steps for OpenID and OAuth"
http://www.intern
Hi Blaine,
These are indeed good requirements you stated below.
When you look at the list of topics do you think that the proposed items indeed
fulfill them?
Ciao
Hannes
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of ext Blaine Co
Hi Paul,
Interesting stuff. Thanks for sharing your draft writeup with us.
Could you submit the document as Internet Draft when the submission
gates open again?
The I-D submission tool will be reopened at 00h UTC, 2012-03-26.
>From the current list of items what do you consider less
Hi Mike,
The comment I sent to Nat applies here too. Something else has to be
dropped if we add another items.
To respond to Eran's remark I will talk to the APPs ADs to figure out
whether OAuth is the right place to do this work. There are various
considerations that matter, including
Hi Nat,
We currently have 5 new items proposed for the new charter. That's quite
a lot and I expect resistance from the IESG (given our previous history
of being somewhat slow with our work).
If you want a new item something else has to be dropped instead.
Anything you do not find as impo
Thanks for the info, Barry.
I would, however, like to find an additional co-author from the group to
ensure accelerated process
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of ext Barry Leiba
> Sent: Wednesday, March 14, 2012 10:25 PM
>
FYI
-Original Message-
From: apps-discuss-boun...@ietf.org
[mailto:apps-discuss-boun...@ietf.org] On Behalf Of ext Mark Nottingham
Sent: Thursday, November 24, 2011 8:22 AM
To: IETF Apps Discuss; draft-ietf-oauth-v2-bearer@ietf.org
Cc: The IESG
Subject: [apps-discuss] APPS Area review
Hi Mike,
this is not specific enough. A string could be defined as
"
A string is a sequence of zero or more Unicode characters [UNICODE].
"
(as in RFC 4627), or as
"
8-bit binary data without a NUL (hex 00) termination
"
(as in RADIUS, RFC 2865).
In any case, we have to consider the constraints
Hi Barry,
I agree with your points below.
As said earlier this charter update is a quick short-term update to have the
webpage updated with information about what we are currently working on. As
requested by Stephen at the last IETF meeting we will recharter again after we
shipped the main s
Hi Thorsten,
Hi all,
I am wondering what the status of the security draft is. The group is
eagerly waiting for it. I fear that when it comes out it will be far too
late and it will contain a lot of material the authors may feel
comfortable but the rest of the group not necessarily.
Instead of
> > The main question for me is: "What is mandatory to implement?"
>
> Nothing. The authorization server can support whatever client
> authentication methods it deems appropriate. *IF* client
> password credentials are supported, then the spec offers one
> way to provide them using parameters.
Hi Torsten,
We have to figure out what the most efficient way is to get our work
done.
With the Prague IETF we will see again whether there is a need for
face-to-face meeting. We had phone conference calls earlier this year as
well. That's another option to make progress in addition to the usage
Hi all
I wonder whether the question of "signature in the main specification or
in a separate document" does not really matter. It is purely a matter of
document management style.
The important question is whether there will be a **mandatory to
implement** or **mandatory to use** someone in the
I am not aware of the ITU-T terminology. Are the documents publically
available?
> -Original Message-
> From: ext Igor Faynberg [mailto:igor.faynb...@alcatel-lucent.com]
> Sent: Wednesday, August 11, 2010 7:31 PM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: OAuth W
Hi all,
Althought this request is only indirectly related to the OAuth protocol
work I nevertheless think your input is valuable. We have just submitted
a new version of the privacy and identity management terminology
document:
http://www.ietf.org/internet-drafts/draft-hansen-privacy-terminology-
Hi all,
As mentioned in the meeting agenda Blaine and myself thought it would be
useful to schedule a tutorial about OAuth during the IETF week.
The morning slot (9am till max 11:30am) on Friday seems to be good.
I will organize a meeting room. Details will be provided later.
Ciao
Hannes & Bl
One possibility is to just add a prefix for standardized values that are not
allowed to be used in other cases, such as "std:".
Ciao
Hannes
> -Original Message-
> From: ext William Mills [mailto:wmi...@yahoo-inc.com]
> Sent: Thursday, June 24, 2010 8:15 PM
>
Hi all,
An early version of the agenda is available and indicates that the Oauth
WG session is scheduled for Tuesday, July 27, 2010.
The agenda is still subject to change.
The final agenda will be published on July 2, 2010.
Ciao
Hannes
___
OAuth m
iao
Hannes
> -Original Message-
> From: ext Lukas Rosenstock [mailto:l...@lukasrosenstock.net]
> Sent: Thursday, June 24, 2010 10:49 AM
> To: Dick Hardt
> Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG
> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth?
>
Hi Eran,
Hi all,
I briefly browsed through the -08 version of the draft to figure out
what could be written about extensibility. Here are a few thoughts:
- Client Profiles
This is probably the most important item were people will want to write
extensions for. Currently, we have the following
Hi all,
Those who attended the last IETF meeting noticed that the actual working
group slots are quite short (around 2 hours). The feedback I got was
that this does not leave us with enough time to get work done. I
understand that argument and acknowledge that not everyone wants to
attend a punch
OAuth 2.0 Draft 5 Issues List
Intro:
- Purposes/use cases should appear in intro
- Describe role wrt OpenID and auth schemes ??
- Requirements should be removd out of intro
Intro should describe goals and possibilities of OAuth
- Requirements is a limited set, but it should be clarified that they
Hi all,
This is an early warning!
As mentioned at the last IETF meeting we are thinking about organizing a
face-to-face interim meeting attached to the Internet Identity Workshop
(see http://www.internetidentityworkshop.com/) on the 20th of May (in
Mountain View). As a host we have tentatively
I agree with your statements below. I would remove the CAPTCHA concept
from the document.
Ciao
Hannes
>-Original Message-
>From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org]
>On Behalf Of ext David Recordon
>Sent: 09 March, 2010 06:54
>To: OAuth WG
>Subject: [OAUTH-WG] The ver
ndent implementations will have a hard time to interwork
automatically anyway.
>-Original Message-
>From: ext David Recordon [mailto:record...@gmail.com]
>Sent: 21 February, 2010 19:42
>To: Tschofenig, Hannes (NSN - FI/Espoo)
>Cc: Eran Hammer-Lahav; oauth@ietf.org
>Subject: Re: [OAU
Hi Eran,
There are a couple of problems with this survey. See below
>-Original Message-
>From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org]
>On Behalf Of ext Eran Hammer-Lahav
>Sent: 18 February, 2010 19:14
>To: OAuth WG (oauth@ietf.org)
>Subject: [OAUTH-WG] WG Survey
>
>A fe
I registered for the seminar, got the bridge info, dialed in and nobody
was there.
Are there slides available?
>-Original Message-
>From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org]
>On Behalf Of ext Eve Maler
>Sent: 25 January, 2010 14:03
>To: OAuth WG
>Subject: [OAUTH-WG] F
61 matches
Mail list logo
