IETF
oauth@jabber.ietf.org
Thursday, March 14, 2013< ^ >
Barry Leiba has set the subject to: OAuth WG | http://tools.ietf.org/wg/oauth/ | IETF 85 audio stream: http://ietf85streaming.dnsalias.net/ietf/ietf854.m3u
Room Configuration
Room Occupants

GMT+0
[19:04:50] yuioku.yj joins the room
[21:12:06] tlyu joins the room
[21:13:41] yuioku.yj leaves the room
[21:15:22] zartash joins the room
[21:24:16] zartash leaves the room
[21:27:04] zartash joins the room
[21:28:01] =JeffH joins the room
[21:31:23] Kazuki Shimizu joins the room
[21:32:28] <zartash> Agenda slides
[21:32:44] <zartash> two presentations this sessions
[21:32:50] <zartash> security and JWTs
[21:33:03] bkihara.l joins the room
[21:33:12] <zartash> Anyone remote?
[21:33:39] sftcd joins the room
[21:33:39] Justin Richer joins the room
[21:33:47] semery joins the room
[21:33:53] <zartash> Phil Hunt starting on Oauth Security
[21:34:00] <zartash> Background slide
[21:34:36] <Justin Richer> Does anyone here know the audio feed for remote participants? The link on the meeting page isn't working for me
[21:34:46] <Justin Richer> (could easily be a firewall problem for me though)
[21:34:58] <zartash> http://ietf86streaming.dnsalias.net/ietf/ietf861.m3u
[21:35:05] <zartash> Is that the link you are following?
[21:35:25] <Justin Richer> yes, that's the one. I'm getting a "no route to host"
[21:35:25] <zartash> Goals slide by Phil Hunt
[21:36:01] <tlyu> getting 404s from the server
[21:36:49] <Justin Richer> me, too
[21:37:02] <Justin Richer> when I try to hit the URL directly, that is
[21:38:19] <zartash> Scenarios: use case addition to draft
[21:38:32] <sftcd> i sent a mail about audio to NOC
[21:39:11] <zartash> "signed url" use case (Justin's) didn't get enough support -- not included in the draft
[21:40:17] <Justin Richer> wha? That's news to me.
[21:40:26] <zartash> Phil asking the WG if all relevant scenarios are coverd and are they understandable?
[21:41:02] <sftcd> justin - you remote?
[21:41:03] <Justin Richer> Audio is up!
[21:41:11] <Justin Richer> Yes, I am remote.
[21:41:21] <sftcd> is someone setup to relay comments from jabber?
[21:41:50] <sftcd> if not I can for a bit, if you want something said at the mic, preface it with "mic:"
[21:41:57] <zartash> requirements slide
[21:42:56] Andrew Biggs joins the room
[21:42:56] <zartash> scope slide: focus on symmetric key crypto (initially)
[21:43:48] <zartash> hannes (chair) explaining the asymmetric key use was explored ???
[21:44:13] <zartash> More questions to WG: agreement with scoping and requirements?
[21:44:57] <zartash> Open Issues: flex computation of MAC, Key distribution
[21:45:43] <zartash> MAC computation introduces additional "-h" header
[21:46:11] <zartash> example of MAC computation
[21:47:45] <zartash> Bradley at mic: asking question on the MAC computation example
[21:48:07] satoru.kanno@gmail.com joins the room
[21:49:53] <zartash> slide: Key Distribution
[21:50:21] Jaromir Talir joins the room
[21:50:28] <zartash> three techniques: Key 1) transport, 2) retrieval, 3) Agreement
[21:52:08] <zartash> Slide: "Key Transport " technique
[21:52:50] <zartash> Interaction of UA, Resource server and authorization server
[21:53:45] <zartash> Stephen at mic: comments on key transport
[21:53:58] <zartash> slide: 2nd technique: key retrieval
[21:54:19] <zartash> example interaction between UA, RS, AS
[21:55:50] <zartash> third technique: Key agreement (variation of first technique)
[21:56:17] <zartash> Hannes explaining how the key agreement technique is a variaiton of key transport
[21:56:24] <Justin Richer> mic: How is the key protected in transit between the client and the RS in type 1 (transport)?
[21:57:34] <sftcd> @justin: its basically like kerberos
[21:58:36] Andrew Biggs leaves the room
[21:59:22] <Justin Richer> mic: I'd argue that #3 is MTI which parallels bearer tokens, but there seems to have been some issues with that?
[21:59:29] <zartash> John Bradley: preffers option 1
[22:00:02] <zartash> Prateek at mic
[22:00:04] <sftcd> well, prefers option 1 with rsa key transport was what I think he said
[22:00:15] <Justin Richer> yeah, that's different from just option 1
[22:01:13] <zartash> yes, different from option 1
[22:01:56] Karen O'Donoghue joins the room
[22:03:47] <zartash> Bradley Hill at mic: questions on option 1 (transport)
[22:06:33] <Justin Richer> mic please!
[22:06:34] <zartash> next steps slide: WG approval of feedback from meeting last week
[22:07:56] <zartash> Next preso: Mike Jones from Microsoft
[22:08:28] <zartash> JSON web token: signature functionality stable since Jan 201
[22:08:30] <zartash> 2011
[22:08:46] <zartash> many known implementations
[22:09:20] <Justin Richer> sorry, that's a bit off topic now :)
[22:09:27] <sftcd> @justin: sorry for being slow with mic;-)
[22:09:35] <Justin Richer> sftcd:  no problem
[22:09:52] <zartash> oops, a bit late -- I should have relayed but I skipped that comment from Justin as well
[22:11:05] <zartash> Michael Peck at mic:
[22:11:25] <Justin Richer> that's OK, nobody listens to me anyway :(
[22:12:06] <zartash> @Justin -- it's been conveyed and Phil ACKed it will be discussed -- perhaps offline now :)
[22:14:35] Andrew Biggs joins the room
[22:15:52] <zartash> question at mic: concern about attack
[22:17:27] <zartash> Prateek Mishra @mic: suggest retaining just core elements in the doc
[22:18:23] <zartash> and additional drafts for "supplementary items" (if I may)
[22:19:18] <Justin Richer> right and he's suggesting that there be another document to say how to use it as an access token
[22:19:23] <Justin Richer> I believe, at least
[22:19:26] <zartash> Mike explaining that JWT is security token not the access token
[22:23:39] <zartash> Mike finished with this preso
[22:24:53] <zartash> Phil asking follow up question
[22:25:45] <zartash> John Bradley responsding --
[22:26:37] hillbrad joins the room
[22:26:41] <zartash> Chairs interruption -- needs to move on but Prateek continuing with question :)
[22:27:02] <zartash> Mike Jones --- different slide set
[22:27:07] <zartash> Data gathered
[22:27:14] <zartash> 9 implementations
[22:27:37] <hillbrad> Re, earlier discussion on composition of authenticated encryption, the following is the best paper I know of: http://eprint.iacr.org/2000/025
[22:27:50] semery leaves the room
[22:27:57] <zartash> Explains that ALL the specs are being used
[22:28:07] <zartash> but used differently
[22:28:33] <zartash> Use of Extension Points is the norm
[22:28:51] <tlyu> hillbrad: i think that paper focuses on symmetric encryption, but that the issues discussed in this session were about asymmetric? but that is a very good paper
[22:29:08] <zartash> Mike: the good news is that interop is still being achieved
[22:30:09] <zartash> for interop -- two profiles are being used
[22:30:45] bkihara.l leaves the room
[22:31:11] <zartash> Hannes wrapping up
[22:31:51] <zartash> suggests looking at the code that Roland introduced
[22:32:31] Andrew Biggs leaves the room
[22:32:36] hillbrad leaves the room
[22:32:48] <zartash> session adjourns
[22:32:54] Kazuki Shimizu leaves the room
[22:32:55] Karen O'Donoghue leaves the room
[22:32:59] zartash leaves the room
[22:33:20] tlyu leaves the room
[22:33:31] satoru.kanno@gmail.com leaves the room
[22:33:39] zartash joins the room
[22:33:41] sftcd leaves the room
[22:33:57] =JeffH leaves the room
[22:34:09] Justin Richer leaves the room
[22:38:34] Karen O'Donoghue joins the room
[22:39:48] Karen O'Donoghue leaves the room
[22:44:51] zartash leaves the room
[22:51:19] Jaromir Talir leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!