Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

1) Do you support the charter text? Or do you have objections or blocking concerns (please describe what they might be and how you would propose addressing the concern)? Not sure I support at this point, I understand the need for an architecture document with patterns and definitions, etc. Th

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

Orie, thanks for the response I’m still confused on this charter proposal as I read this charter it is to create architecture, patterns and definitions for electronic credentials. The charter should be free of any technology including W3C, if people want clarity about what an electronic cred

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

arter-ietf-spice/00-00/#milestones> Milestones From: Orie Steele Sent: Monday, February 19, 2024 6:15 PM To: Anthony Nadalin Cc: Roman Danyliw ; oauth Subject: Re: [OAUTH-WG] FW: Call for consensus on SPICE charter Inline: On Mon, Feb 19, 2024, 7:34 PM mailto:nada...@prodigy

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

document defining SD-CWT to the IESG for publication * 03-2026 - Submit a document as a proposed standard covering Metadata Discovery to the IESG for publication <https://datatracker.ietf.org/doc/charter-ietf-spice/00-00/#introduction> Introduction <https://datatracker.ietf.

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support adoption of this draft as a working group document with the following caveats: 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed -Original Message- From:

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

How about the University in Gjovik ? Get Outlook for Android From: OAuth on behalf of Daniel Fett Sent: Wednesday, August 7, 2019 11:47:51 PM To: Dick Hardt ; dba...@leastprivilege.com Cc: Mike Jones ; OAuth WG Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

I know you were too polite ! From: Steinar Noem Sent: Saturday, August 10, 2019 11:04 AM To: Nat Sakimura Cc: Anthony Nadalin ; Mike Jones ; OAuth WG Subject: Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop That is good to hear, Nat. I tried to be as polite as possible in

Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant

I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still. From: OAuth On Behalf Of Dick Hardt Sent: Tuesday, February 18, 2020 12:37 PM To: oauth@ietf.org Subject

Re: [OAUTH-WG] Call for Adoption: DPoP

+1 From: OAuth On Behalf Of Mike Jones Sent: Tuesday, March 17, 2020 8:14 AM To: Rifaat Shekh-Yusef ; oauth Subject: [EXTERNAL] Re: [OAUTH-WG] Call for Adoption: DPoP I am for adoption of DPoP. -- Mike From: OAuth mailto:oauth-boun...@iet

Re: [OAUTH-WG] draft-ietf-oauth-revocation

Yes on token_type Sent from my Windows Phone From: Torsten Lodderstedt Sent: ‎2/‎3/‎2013 6:02 AM To: OAuth WG Subject: [OAUTH-WG] draft-ietf-oauth-revocation Hi all, before I publish a new revision of the dra

Re: [OAUTH-WG] How soon until last call on introspection and revocation

I think that there are still fundamental design disagreements that would need to be resolved. Sent from Windows Mail From: Justin Richer Sent: ‎February‎ ‎6‎, ‎2013 ‎6‎:‎57‎ ‎AM To: Hannes Tschofenig CC: IETF oauth WG Subject: Re: [OAUTH-WG] How soon until last call on introspection and revocati

Re: [OAUTH-WG] Registration: HAL _links structure and client self-URL

I doubt that the ToS and Privacy Policy will be different for a given Trust Framework provider, as these are all bilateral agreements, I do expect these to be different between trust framework providers though -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org

Re: [OAUTH-WG] [jose] Meeting for people interested in OpenID Connect at IETF#86 in Sun Mar 10

I thought it was Sunday -Original Message- From: jose-boun...@ietf.org [mailto:jose-boun...@ietf.org] On Behalf Of Barry Leiba Sent: Saturday, March 2, 2013 11:58 AM To: John Bradley Cc: openid-connect-inte...@googlegroups.com; Group Group; oauth@ietf.org WG; ; webfin...@ietf.org Subject

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

Agree From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Monday, May 20, 2013 9:42 AM To: Justin Richer Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration This draft isn't ready for LC. Phil On 2013-05-20, at 8:49,

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

[mailto:jric...@mitre.org] Sent: Monday, May 20, 2013 11:10 AM To: Anthony Nadalin Cc: Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration Tony, can you be more specific? What needs to be changed in your opinion? What text changes would you suggest

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

[mailto:jric...@mitre.org] Sent: Wednesday, May 22, 2013 1:35 PM To: Anthony Nadalin Cc: Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration I'm not sure why you don't think it's in scope, it's in the working group's charte

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

My mistake, was to say, We already have OpenID Connect doing dynamic registration, I don’t think there is a need to force it into OAuth. From: Phil Hunt [mailto:phil.h...@oracle.com] Sent: Wednesday, May 22, 2013 3:16 PM To: Anthony Nadalin Cc: Justin Richer; oauth@ietf.org Subject: Re: [OAUTH

Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE

So there could be privacy issues on why I would not want the ISS or AUD outside the encrypted payload From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Dick Hardt Sent: Tuesday, May 28, 2013 9:34 AM To: O Auth WG Subject: Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserve

Re: [OAUTH-WG] SAML-like ActAs

You can accomplish the ActAs semantics with Assertions profile, while a bit clumsy the basics are in place, the only issue is that you don't have any way to indicate the formal semantics From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Prateek Mishra Sent: Friday, July

Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

So is the intent to provide an enterprise authentication claim? I would think that the proposal would use JWT as the token and then define the appropriate claim in the JWT From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Monday, July 29, 2013 1:14 AM To:

Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

It's called exercise or take the S7, this also give you a culture experience of getting away from the hotel and IETF crowd. From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, August 1, 2013 12:10 AM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth mailing list Subjec

Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

Life is full of surprises and bountiful experiences From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, August 1, 2013 12:35 AM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth mailing list Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00 I wasn&#

Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

; A signed token approach has many advantages for service >>>>>>>> providers like not having to maintain a secure database of >>>>>>>> secrets/passwords. >>>>>>> If the concern here is the amount of data the Authorization >

Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

re where you deploy at -- if URL space is at a premium for you, then switch based on input parameters and other things. And you're still not clear on which "secrets" you're ta king issue with. -- Justin On 08/13/2013 10:46 AM, Anthony Nadalin wrote: #1, its yet anot

Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

icher mailto:jric...@mitre.org<mailto:jric...@mitre.org%0b%3cmailto:jric...@mitre.org>>> wrote: The spec doesn't care where you deploy at -- if URL space is at a premium for you, then switch based on input parameters and other things. And you're still not clear on which "

[OAUTH-WG] Dynamic Client Registration Requirements

Here are some of our requirements for Dynamic Client Registration as we work through the various proposals: 1. Stateless server 2. Code flow support 3. Implicit flow support 4. Multi-tenant support (single endpoint, multiple services) 5. internationalization 6. simple provisioning schema with sc

Re: [OAUTH-WG] Audience parameter in authorization flow

I think binding audience at registration time is to limiting as we see audience being on a per token request level and also see the audience being part of the restrictions for "act as" or "on behalf of" support -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.o

Re: [OAUTH-WG] Dynamic Client Registration Requirements

asserting it, so yes you have the concept. -Original Message- From: Tschofenig, Hannes (NSN - FI/Espoo) [mailto:hannes.tschofe...@nsn.com] Sent: Wednesday, August 21, 2013 9:28 AM To: Anthony Nadalin; oauth mailing list Subject: RE: Dynamic Client Registration Requirements Hi Tony, Could

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

Phil, this just brings me back to the question, "why are we doing this in OAuth" ? Configuration endpoint (nothing to do with OAuth), Registration Endpoint (too complicated, goes beyond the bounds of OAuth), why not just a stateless and state full registration message and that's it? -Origin

Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)

--Amanda On 8/23/13 4:24 AM, "Hannes Tschofenig" wrote: >Thank you all for joining yesterday's conference call. I took some >notes during the call. > > Meeting Minutes > >Participants: >- William Kim >- John Bradley >- Antonio Sanso >- Mike

Re: [OAUTH-WG] Refactoring Dynamic Registration

Thanks for splitting this and making it simple. It's unclear if the server must send the metadata back in same form/order/ as sent, that is, does client expect to get back only what was sent with what server values will be or can client deal with defaults that the sever sets -Original Mess

Re: [OAUTH-WG] Refactoring Dynamic Registration

: Tuesday, August 27, 2013 11:12 AM To: Anthony Nadalin Cc: oauth mailing list Subject: Re: Refactoring Dynamic Registration A JSON object is not order dependent by definition, so order of elements doesn't matter. In the section on client metadata and the client information response, it'

Re: [OAUTH-WG] Refactoring Dynamic Registration

- From: Justin Richer [mailto:jric...@mitre.org] Sent: Tuesday, August 27, 2013 11:34 AM To: Anthony Nadalin Cc: oauth mailing list Subject: Re: Refactoring Dynamic Registration If the server does not understand a parameter (and by this, remember, we mean a field in the JSON object, not a query

Re: [OAUTH-WG] Refactoring Dynamic Registration

I believe the http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is out of scope for this WG and needs to go to the APPS area since we don't deal with other OAuth management issues -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf

Re: [OAUTH-WG] Refactoring Dynamic Registration

and how the registration data is organized /represented as each server has to deal with all sorts of clients. -Original Message- From: Justin Richer [mailto:jric...@mitre.org] Sent: Tuesday, August 27, 2013 11:42 AM To: Anthony Nadalin Cc: oauth mailing list Subject: Re: Refactoring

Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt

warded message: From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt Date: 27 August, 2013 8:56:45 AM PDT To: Phil Hunt mailto:phil.h...@yahoo.com>>, Anthony Nadalin mailto:tony...@microsoft.com>>, T

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

>Therefore I once again call for the WG to finish the current dynamic >registration spec *AND* pursue the assertion based process that Phil's talking >about. They're not mutually exclusive, let's please stop talking I see no reason to continue to push finish the current specification when there

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

:51 AM To: Anthony Nadalin Cc: Phil Hunt; oauth mailing list Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details Except that folks are already actually implementing and using the spec, and that all of the discussions around different

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

lEncoded-SAML2-Bearer-Assertion probably the same works with JWT Sergey Thanks, George On 8/28/13 12:28 PM, Anthony Nadalin wrote: I do think that this is the rare-edge use case, we would not want require client-secret, we already have that mess today with OAuth and trying not

Re: [OAUTH-WG] Fwd: [oauth-interop] scope and reach of testing activity

One thing to look at are the OpenID Connect interop tests and the portions/flows of OAuth that it covers, as that is going on now. From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Prateek Mishra Sent: Monday, October 7, 2013 2:39 PM To: IETF oauth WG Subject: [OAUTH-WG]

Re: [OAUTH-WG] FYI per a request on the last conference call, this is a method for making client registration stateless.

Phil, I agree with your observations, seem like its screwed up From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Monday, October 21, 2013 10:21 AM To: John Bradley Cc: oauth list Subject: Re: [OAUTH-WG] FYI per a request on the last conference call, this is

[OAUTH-WG] Proof of Possession

Hannes, we would like 10min on the agenda at the Vancouver IETF meeting to present/discuss POP ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth Agenda for IETF-88

The client registration is still open, so we need to continue our discussion that was started with the interim call -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Derek Atkins Sent: Thursday, October 31, 2013 1:07 PM To: oauth@ietf.org Subjec

Re: [OAUTH-WG] OAuth Agenda for IETF-88

Would like 10 min to discuss ActAs draft -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Derek Atkins Sent: Thursday, October 31, 2013 1:07 PM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth Agenda for IETF-88 The IETF is next week, and OAuth mee

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

We need to avoid encoding secrets and authentication with client_id as authentication is not part of our mission From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, November 4, 2013 1:38 PM To: Hannes Tschofenig Cc: oauth@ietf.org WG Subject: Re:

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

We have mechanisms to do this it's not in our scope to start to encode the client_id with authentication information From: Nat Sakimura [mailto:sakim...@gmail.com] Sent: Monday, November 4, 2013 1:57 PM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth@ietf.org WG Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

Identification is fine as long as it remains opaque and not specific to any format. Authentication remains out of scope From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Monday, November 4, 2013 2:05 PM To: Anthony Nadalin Cc: Nat Sakimura; Hannes Tschofenig; oauth@ietf.org WG Subject: Re

Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

So it's a tiny bit better but not sure it has captured all of what was being proposed to fix the original, still not there. 1. The signature on the software statement should be optional 2. The software statement should be an assertion, the assertion can be whatever profiles exist, I understand

Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

I would agree with Phil, the server makes right in this case, specific statement may be sent but the processed statement is returned which may be different -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Thursday, February 6, 2014 10:39 AM T

Re: [OAUTH-WG] Draft Agenda

Could either Mike or I get 5 min for ActAS/OnBehalf of update? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, February 24, 2014 10:47 AM To: oauth@ietf.org Subject: [OAUTH-WG] Draft Agenda Hi all, we put a draft agenda online: http://www.ietf.org/proceed

Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2

May things should change back as announced? Things in life chnage From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Tuesday, February 25, 2014 11:58 AM To: Brian Campbell Cc: oauth Subject: Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2 Yes. Things chan

Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2

Agree, the OAUTH meeting should change to afternoon -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Tuesday, February 25, 2014 2:56 PM To: John Bradley Cc: oauth Subject: Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2 Yes,

Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2

thony Nadalin; Brian Campbell; oauth; Lucy Lynch Subject: Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2 On Wed, 26 Feb 2014, John Bradley wrote: > I asked for the room from 12 to 5. The chair had the time changed so > we reserved the room from 10 to 3pm. > > We woul

Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work

MFW -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Morteza Ansari (moransar) Sent: Tuesday, March 4, 2014 10:34 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work WFM too. On 3/4/14

Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes

I'm not convinced that scope should be in core -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of tors...@lodderstedt.net Sent: Thursday, March 6, 2014 12:38 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes Hi, regarding dynamic client r

Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes

+1 should not be merged -Original Message- From: Mike Jones Sent: Thursday, March 6, 2014 5:19 AM To: Anthony Nadalin; tors...@lodderstedt.net; oauth@ietf.org Subject: RE: [OAUTH-WG] IETF #89 OAuth Meeting Notes I also disagree with moving "scope" into the core registration

Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs

ynamic Client Registration specifications: * OAuth 2.0 Dynamic Client Registration Core Protocol * OAuth 2.0 Dynamic Client Registration Metadata * OAuth 2.0 Dynamic Client Registration Management Protocol These versions address review comments by Phil Hunt and Tony Nadalin.

Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs

Same is true for the registration_client_uri as I may not need/want this, should be optional From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 6, 2014 7:02 AM To: Mike Jones; oauth@ietf.org list Subject: Re: [OAUTH-WG] Working Group Versions of

Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents

If these are going to be combined then a draft should be produced and then a decision should be made once everyone has a chance to review -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Friday, April 4, 2014 5:49 PM To: Hannes Tschofenig; oauth

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

I have to agree with Phil on this as there are already spec out there that use HoK and PoP , either of these work but prefer HoK as folks get confused with PoP as we have seen this within our company already From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, Apri

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

I agree with Phil on this one, there are implementations of this already and much interest From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Wednesday, May 14, 2014 8:32 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Please list the implementstions From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing http://tools.

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

a4c. From: Chuck Mortimore [mailto:cmortim...@salesforce.com] Sent: Wednesday, May 14, 2014 9:39 AM To: Anthony Nadalin Cc: Phil Hunt; Brian Campbell; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering Can you point to one publicly available or publicly documented

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Where is the confusion ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing http://tools.ietf.or

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

It’s great but some ways but also very limiting if you are counting on certain requirements to be represented in the access token From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Thursday, June 5, 2014 12:40 PM To: Bill Mills Cc: Phil Hunt; oauth@ietf.org Subject

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

Delegation From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] Sent: Thursday, June 5, 2014 12:45 PM To: Anthony Nadalin Cc: Bill Mills; Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c Examples? Am 05.06.2014 um 21:42 schrieb Anthony

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

The explanation of on-behalf-Of and ActAs are correct in the document as defined by WS-Trust, this may not be your desire or understanding but that is how WS-Trust implementations should work From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 3, 2014 11:

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

I’m lost, the terms defined in the oauth token-exchange draft are the same terms defined in ws-trust and have the same definitions From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 3, 2014 12:02 PM To: Anthony Nadalin Cc: Vladimir Dzhuvinov; oauth@ietf.org Subject: Re

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

do plan to refresh this draft too allow for a more flexible trust model shortly. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, July 03, 2014 12:04 PM To: Brian Campbell Cc: oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] draft-jones-

Re: [OAUTH-WG] Shepherd Writeup for Dynamic Client Registration Draft

Is your implementation from the OpenID Connect specification of from the IETF specification From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Edmund Jay Sent: Tuesday, July 15, 2014 11:01 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Shepherd Writeup for Dynamic Client R

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

if we take Ian’s non technical advice then most of the work in Oauth should be put down. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Thursday, July 24, 2014 5:29 AM To: John Bradley Cc: oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notification for draf

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

I’m sure it was spun in a way that could be true since there was no technical value to Ian’s statement and I’m sure that folks had not read or understand the usage. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 24, 2014 6:53 AM To: Nat Sakimura Cc:

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

OMG, how can you say that when the Dynamkc Reg does the same thing (duplicates) but that is OK to do From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 24, 2014 10:22 AM To: John Bradley Cc: oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notifica

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Oh yea, real different, give me a freaking break From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 24, 2014 6:31 PM To: Anthony Nadalin Cc: John Bradley; oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt The

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

I think we need management APIs now to manage the new endpoint, but seriously this introspection proposal has privacy issues, to avoid these I would encrypt the tokens and then this would be a useless endpoint, also this has issues with symmetric POP tokens, but maybe this was only designed to w

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

John this is for the people that did not hum at the face to face and not just for the people not at the face to face. Sent from my Windows Phone From: John Bradley Sent: ‎7/‎30/‎2014 7:20 AM To: Sergey Beryozkin

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

I read the draft and just don’t get it, it overloads some of the basic semantics, I’m not quite sure you get the concept of token exchange, has what you described been deployed ? or even built ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, August 11, 2014

Re: [OAUTH-WG] Working Group Last Call on "Symmetric Proof of Possession for the OAuth Authorization Code Grant"

Not all of us look at individual drafts, and thus I have not previously read this, but I did this morning and find that there are issues with the way the "code challenge" is specified as this requires pre negation of what/how that value was achieved and a large scale deployment that is almost im

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Is "experimental" the correct classification? Maybe "informational" is more appropriate as both of these were discussed. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, September 10, 2014 4:50 PM To: oauth@ietf.org Subject: [

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I don't see it that way as the guidelines not clear and we should revisit this since there was no conclusion in Toronto. -Original Message- From: Richer, Justin P. [mailto:jric...@mitre.org] Sent: Thursday, September 11, 2014 8:01 AM To: Anthony Nadalin Cc: Hannes Tschofenig;

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Add me -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, September 11, 2014 3:30 PM To: oauth@ietf.org Cc: Derek Atkins Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong? Hi all, at the last IETF meeting Mike gave a

Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call

Same here -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, October 16, 2014 10:17 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call For what it's worth, I was on th

[OAUTH-WG] draft-ietf-oauth-introspection

Comments Intro "about the authentication conext", not sure what this is since there is no authentication context in Oauth Use of Oauth2, mixed with use of Oauth, pick one "allows holder of a token to query" so anything/anyone that has a token can use this endpoint? Introspection Endpoint Use of

Re: [OAUTH-WG] draft-ietf-oauth-introspection

ot;active" is supposed to mean so folks get the same results on different endpoints From: Justin Richer [mailto:jric...@mit.edu] Sent: Sunday, November 30, 2014 6:57 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-introspection Tony, thanks for the commen

Re: [OAUTH-WG] draft-ietf-oauth-introspection

ion. What about the Audience restricted tokens, do you expect the endpoint to ignore this and process the tokens for metadata ? From: Justin Richer [mailto:jric...@mit.edu] Sent: Monday, December 1, 2014 4:42 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

>The definition of “active” is really up to the authorization server, and I’ve >yet to hear from an actual implementor who’s confused by this definition. When >you’re the one issuing the tokens, you know what an “active” token means to you According to the spec as written the Introspection endpo

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

Why does the specification state "encrypted to a key known to the recipient using the JWE Compact Serialization" is this the only serialization allowed (there is no MUST) ? containing the symmetric key. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Ts

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

invented structure. So how do I tell what "cnf" really is ? Is this proposal also limited to a single key for both asymmetric and symmetric ? -Original Message- From: Mike Jones Sent: Wednesday, March 4, 2015 3:34 PM To: Anthony Nadalin; Hannes Tschofenig; oauth@ietf.org

[OAUTH-WG] Token Introspection: Misc Review Comments

Some comments: > The endpoint MAY allow other parameters to provide further context to the > query. If the endpoint does not understand these the endpoint must ignore. The only MUST in this specification is to return the "active" Boolean, but this is still underspecified as there is no definit

Re: [OAUTH-WG] JWT Destination Claim

There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with Sent from my Windows Phone From: Brian Campbell

Re: [OAUTH-WG] JWT Token on-behalf of Use case

Not quite, the actual tokens are still opaque, the requestor is just asking for a token exchange , the requestor can specify the requested token type it's up to the server to determine the actual token it will delever -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Beha

Re: [OAUTH-WG] JWT Token on-behalf of Use case

The WS-Trust “ActAs” mimics the Windows Kerberos Protocol Transition (impersonation) feature as this enables an account to impersonate another account for the purpose of providing access to resources. In a typical scenario, the impersonating account would be a service account assigned to a web

Re: [OAUTH-WG] JWT Token on-behalf of Use case

use case then what the feature of https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-01#section-1.3 describes. From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Monday, July 6, 2015 2:33 PM To: Anthony Nadalin Cc: Mike Jones ; oauth Subject: Re: [OAUTH-WG] JWT Token on

Re: [OAUTH-WG] Token Chaining Use Case

I’m not sure how Brian’s approach solves the basic generic token exchange use case that we have From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, July 7, 2015 4:47 PM To: Mike Jones Cc: Subject: Re: [OAUTH-WG] Token Chaining Use Case This approach is not a

Re: [OAUTH-WG] Use of Token Exchange spec for API Federation

So in your scenario where you have client (c), user (u), resource (r) and resource 1(r1) does the flow go like U->C->R-R1 or U->C->R and U->C->R1 ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Chuck Mortimore Sent: Wednesday, July 15, 2015 12:47 PM To: OAuth WG ; Mike Jones Subject:

Re: [OAUTH-WG] confirmation model in proof-of-possession-02

d011db47%7c1&sdata=mVCW7aDWJwiUWjKY4XRik1hMJ >> gcxsZO85KRedzj%2bJkY%3d in which he stated that "flattening would be >> a bad direction". Nat also implicitly endorsed keeping "cnf" in his >> WGLC review comments in >> https://na01.safelinks.protectio

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Not sure why you think its weaker as it would be a wrapped key that the hardware produces -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, November 4, 2015 8:43 PM To: Justin Richer Cc: Subject: Re: [OAUTH-WG] Proof-of-Possessio

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

: Wednesday, November 4, 2015 8:48 PM To: Anthony Nadalin Cc: John Bradley ; Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment That’s only if you’re using good hardware to produce a key. We can’t assume that’s the only kind of client that will

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

I can say on all windows based devices (pc, xbox, phone, etc) with only TPM 1.1 this will be the approach so it will be commonly used -Original Message- From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Wednesday, November 4, 2015 8:52 PM To: Anthony Nadalin Cc: Justin Richer

Re: [OAUTH-WG] IETF 95 - Buenos Aires

I’m afraid that I would have to agree with Brian (hopefully this is not a trend) From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Friday, January 15, 2016 9:16 AM To: Hannes Tschofenig Cc: oauth@ietf.org; Rolando Martínez Subject: Re: [OAUTH-WG] IETF 95 - Buenos Aire

  1   2   3   4   >