IETF Logo Mail Archive

Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call

"Richer, Justin P." <jricher@mitre.org> Mon, 27 October 2014 23:21 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F6C1A6FE3 for <oauth@ietfa.amsl.com>; Mon, 27 Oct 2014 16:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIHsuRmY9FFd for <oauth@ietfa.amsl.com>; Mon, 27 Oct 2014 16:21:38 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id A39DF1A6FD6 for <oauth@ietf.org>; Mon, 27 Oct 2014 16:21:22 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 42DC6B2E018; Mon, 27 Oct 2014 19:21:22 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 3A89DB2E017; Mon, 27 Oct 2014 19:21:22 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.78]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.03.0174.001; Mon, 27 Oct 2014 19:21:22 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
Thread-Index: AQHP8jy3IhFJJ3qL2UKpZ0KVl4+vkg==
Date: Mon, 27 Oct 2014 23:21:21 +0000
Message-ID: <B18173FA-7AD9-40A7-98AF-8D2A4AED744D@mitre.org>
References: <543FF850.6070409@gmx.net>
In-Reply-To: <543FF850.6070409@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.11.119]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <899B003E2C0681469AB022C65F21AA38@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qUMiGbGxi6B2uemdMdUtLAMX1-A
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 23:21:45 -0000

I've been incorporating peoples' feedback into the proposed oauth.net page, and the current state is here:

https://github.com/jricher/oauth.net/blob/authentication/articles/authentication.php

Commentary has slowed down and I think the document's in reasonable. I would like to publish this as a draft version on oauth.net in the very near future (like, this week), so get comments and feedback to me on this soon. I'm going to be at IIW all week if anyone wants to back me into a corner and talk about this.

 -- Justin

On Oct 16, 2014, at 12:54 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> Participants:
> 
> * Brian Campbell
> * John Bradley
> * Derek Atkins
> * Phil Hunt
> * William Kim
> * Josh Mandel
> * Hannes Tschofenig
> 
> 
> Notes:
> 
> Justin distributed a draft writeup and explained the reasoning behind
> it. The intended purpose is to put the write-up (after enough review) on
> oauth.net. See attachments. Justin solicited feedback from the
> conference call participants and from the working group.
> 
> One discussion item was specifically related to the concept of audience
> restrictions, which comes in two flavours: (a) restriction of the access
> token regarding the resource server and (b) restriction of the id token
> regarding the client. Obviously, it is necessary to have both of these
> audience restrictions in place and to actually check them.
> 
> The group then went into a discussion about the use of pseudonyms in
> authentication and the problems deployments ran into when they used
> pseudonyms together with a wide range of attributes that identified
> users nevertheless. Phil suggested to produce a write-up about this topic.
> 
> Finally, the group started a discussion about potential actions for the
> OAuth working groups. Two activities were mentioned, namely to produce
> an IETF draft of the write-up Justin has prepared as a "formal" response
> to the problems with authentication using OAuth and, as a second topic,
> potential re-chartering of the OAuth working group to work on some
> solutions in this area. Hannes suggested to postpone these discussions
> and to first finish the write-up Justin had distributed.
> 
> Ciao
> Hannes & Derek
> <Authentication with OAuth 2.doc><Authentication with OAuth 2.html><Authentication with OAuth 2.pdf>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email