Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession (PoP) Security Architecture

Hi Nat, the Secure BCP defines sender-constrained access tokens and (I think) gives a comprehensive description of the attacks prevented by sender-constrained access tokens. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#name-misuse-of-stolen-access-tok Do you think

Re: [OAUTH-WG] Request for Feedback on "SD-JWT VC" Draft Specification

I support adoption of this draft. It is an important piece to use SD-JWT for Verifiable Credentials. Am 27. Mai 2023, 12:52 +0200 schrieb Leif Johansson : > Likewise! > > Skickat från min iPhone > > > 27 maj 2023 kl. 01:12 skrev Giuseppe De Marco : > > > > Hi, > > > > I support sd-jwt-vc with the

Re: [OAUTH-WG] RFC 9396 - RAR doubt about examples

Hi, the difference between section 7 and 9 is as Kai described it. Section 7 is about additional data given to the client in the token response that is needed to perform the rest of the process. Figure 17, for example, shows how the authorization details object is enriched with the account num

Re: [OAUTH-WG] RFC 9396 - RAR doubt about examples

Am 13. Juni 2023, 12:02 +0200 schrieb Oliva Fernandez, Jorge : Hi Torsten, Thanks for your answer but this seems still very confused to me, so just let me put a real use case for RAR and see if I can understand correctly, suppose that Open Banking (never mind the country) replace the lo

Re: [OAUTH-WG] RFC 9396 - RAR doubt about examples

The token response is different as this is part of the interface between AS and client, i.e. there needs to be rules in place so both parties can interoperate. OAuth has traditionally always focused on client to AS and client to RS for interoperability and left out AS to RS from the equation. b

Re: [OAUTH-WG] OAuth 2.0 Attestation-Based Client Authentication

Those claims are asserted by the issuer of the assertion, which could be a trusted third party. Trust management happens on top of the draft. This could mean x5c, could also be a trust list with the issuer URLs. In the OID4VC High Assurance Profile, which utilizes this draft, we will facilitate

Re: [OAUTH-WG] Call for adoption - Attestation-Based Client Authentication

+1 for adoption Am 30. Juli 2023, 16:28 +0200 schrieb Orie Steele : > I support adoption > > > On Sun, Jul 30, 2023, 9:14 AM Pieter Kasselman > > wrote: > > > I support adoption. > > > > > > From: OAuth On Behalf Of Rifaat Shekh-Yusef > > > Sent: Saturday, July 29, 2023 8:27 PM > > > To: oauth

Re: [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable Credentials

+1 for adoption Am 30. Juli 2023, 16:28 +0200 schrieb Orie Steele : > I support adoption. > > > On Sun, Jul 30, 2023, 9:15 AM Pieter Kasselman > > wrote: > > > I support adoption of this draft. > > > > > > From: OAuth On Behalf Of Rifaat Shekh-Yusef > > > Sent: Saturday, July 29, 2023 8:25 PM >

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Roman, I’m writing this post on behalf of the group of co-authors who proposed the following drafts for adoption by the OAuth WG: draft-ietf-oauth-attestation-based-client-auth draft-ietf-oauth-sd-jwt-vc draft-looker-oauth-jwt-cwt-status-list We have brought these drafts to the IETF because

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Orie, best regards, Torsten. Am 18. Sept. 2023, 16:01 +0200 schrieb Orie Steele : > Torsten, > > Thanks for sharing this excellent framing. > > I agree with everything you said. > > Please correct me if I'm wrong about anything in this summary: > > 1. Keep working on JWT based credential format

Re: [OAUTH-WG] Call for adoption - JWT and CWT Status List

+1 for adoption Am 30. Sept. 2023, 15:33 +0200 schrieb Aaron Parecki : > I support adoption > > > > On Sat, Sep 30, 2023 at 5:53 AM Rifaat Shekh-Yusef > > wrote: > > > All, > > > > > > This is an official call for adoption for the JWT and CWT Status List > > > draft: > > > https://datatracker.i

Re: [OAUTH-WG] IPR Disclosure - OAuth 2.0 Security Best Current Practice

I am not aware of any IPR associated with this document. Am 4. Okt. 2023, 17:16 +0200 schrieb Daniel Fett : > I am not aware of any IPR associated with this document. > -Daniel > Am 04.10.23 um 17:10 schrieb Tschofenig, Hannes: > > In my earlier email I forgot to include John. > > > > John, I also

Re: [OAUTH-WG] Implementation Status of the "OAuth 2.0 Security BCP"

Hi, the yes open banking ecosystem was implemented based on the Security BCP. best regards, Torsten. Am 4. Okt. 2023, 16:46 +0200 schrieb Tschofenig, Hannes : > Hi all, > > as part of the shepherd write-up for the "OAuth 2.0 Security BCP" document, > we are looking for information about implemen

Re: [OAUTH-WG] Relationship between SPICE and OAuth

Hi Hannes, Am 1. Nov. 2023, 12:21 +0100 schrieb Hannes Tschofenig : > Hi all, > > I am a bit puzzled by the response Pam and I received when putting the agenda > for the SPICE BOF together. It appears that most people have not paid > attention to the discussions during the last few months. > > L

Re: [OAUTH-WG] AD Review of draft-ietf-oauth-security-topics-24

Your proposal sounds good to me. Am 28. Dez. 2023, 10:25 +0100 schrieb Daniel Fett : > Hi Roman, > thanks for the detailed review and your valuable feedback! > I think you raise one important point in particular that I'd like to discuss > on the list: > Am 19.12.23 um 00:08 schrieb Roman Danyliw:

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-v2-1-11.txt

Big +1 Am 16. Mai 2024, 03:14 +0200 schrieb Dick Hardt : > Thanks for driving this and making the changes Aaron! > > > On Tue, May 14, 2024 at 5:30 PM Aaron Parecki > > wrote: > > > Hi all, > > > > > > Thanks for the productive discussion at the interim meeting today. I've > > > taken the feedba

[OAUTH-WG] Re: -15 of SD-JWT

+1 Am 30. Jan. 2025, 18:41 +0100 schrieb Daniel Fett : > +1 > (not confidential) > Am 29.01.25 um 22:15 schrieb Pierce Gorman: > > +1 on advancing the draft. > > > > > > CONFIDENTIAL > > -Original Message- > > From: Watson Ladd > > Sent: Wednesday, January 29, 2025 12:09 PM > > To: Brian