IETF
oauth@jabber.ietf.org
Monday, March 25, 2019< ^ >
m&m has set the subject to: OAUTH at IETF103 https://datatracker.ietf.org/meeting/103/session/oauth
Room Configuration
Room Occupants

GMT+0
[07:41:12] metricamerica joins the room
[08:40:38] metricamerica joins the room
[08:42:36] metricamerica leaves the room
[09:34:04] metricamerica joins the room
[09:34:37] metricamerica leaves the room
[10:00:07] metricamerica leaves the room
[10:24:07] metricamerica joins the room
[11:22:37] metricamerica leaves the room
[12:22:33] metricamerica joins the room
[14:45:08] metricamerica leaves the room
[14:55:03] Meetecho joins the room
[14:57:45] VirtualQueue_leKDVzoX joins the room
[15:05:05] Simon Bouget joins the room
[15:05:07] Lorenzo Miniero joins the room
[15:05:09] patrick mourot joins the room
[15:05:09] Alec Laws joins the room
[15:05:11] Eve Maler joins the room
[15:05:12] Aaron Parecki joins the room
[15:05:33] Vittorio Bertocci joins the room
[15:06:17] <Vittorio Bertocci> buooongiorno!
[15:06:28] <Vittorio Bertocci> (this is just a test)
[15:06:49] Maciej Machulak joins the room
[15:08:53] Maciej Machulak leaves the room
[15:08:54] Maciej Machulak joins the room
[15:09:09] <Maciej Machulak> Hello!
[15:09:58] Nancy Lush joins the room
[15:10:01] m&m joins the room
[15:10:10] <Vittorio Bertocci> zien dobre? I never know how to spell it
[15:10:29] <Eve Maler> Hi all
[15:10:36] Maciej Machulak leaves the room
[15:10:44] Brian Campbell joins the room
[15:10:45] Roman Danyliw joins the room
[15:10:47] Maciej Machulak joins the room
[15:11:18] <Roman Danyliw> Hi!  I'm the Jabber scribe.  Please preface your comment with [mic] if you want to me to take it to the mic line
[15:11:46] Petteri Stenius joins the room
[15:11:54] <Roman Danyliw> starting
[15:12:00] Phillip Hunt joins the room
[15:12:03] metricamerica joins the room
[15:12:09] Brian Campbell leaves the room
[15:12:14] BRIAN Campbell joins the room
[15:12:15] <Roman Danyliw> https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-chairs-update-02
[15:12:35] Justin Richer joins the room
[15:13:00] BRIAN Campbell leaves the room
[15:13:02] Brian Campbell joins the room
[15:13:52] Tomas Lagos joins the room
[15:15:39] Satoru Kanno joins the room
[15:16:01] Ali Rezaki joins the room
[15:16:07] <Roman Danyliw> talking about draft-ietf-oauth-device-flow
[15:16:36] Tomas Lagos leaves the room
[15:16:48] <Roman Danyliw> talking about draft-ietf-oauth-jwt-bcp
[15:19:03] <Roman Danyliw> talking about draft-ietf-oauth-token-binding-08
[15:19:39] Maciej Machulak leaves the room
[15:19:39] Maciej Machulak joins the room
[15:21:16] <Roman Danyliw> Now on ... https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
[15:21:21] Steve Olshansky joins the room
[15:22:20] <Roman Danyliw> https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-sessa-security-topics-00
[15:24:21] Domenico Catalano joins the room
[15:25:28] kaduk@jabber.org/barnowl joins the room
[15:26:11] Brian Campbell leaves the room
[15:26:14] Brian Campbell joins the room
[15:31:58] <Justin Richer> (mic) +1 to everything here. The recommendations are sound even (and especially if) it's against what people are doing today.
[15:32:02] <Roman Danyliw> Tony M
[15:33:41] <Justin Richer> (Y)
[15:33:42] <Roman Danyliw> Pamela
[15:34:02] <Phillip Hunt> (mic) I agree. I too run into the issue of developers justifying bad practices because of the RFC. I agree with everything
[15:34:27] <Justin Richer> And if Phil and I agree then it's probably right ;)
[15:34:36] <kaduk@jabber.org/barnowl> :)
[15:34:40] <Roman Danyliw> John Bradley
[15:36:10] <Roman Danyliw> Mike Jones
[15:36:57] Ludwig Seitz joins the room
[15:39:43] <Roman Danyliw> Mike Jones (back)
[15:40:35] <kaduk@jabber.org/barnowl> I think we determined that people didn't like implicit, but it wasn't
quite time  to formally deprecate it
[15:43:39] <Phillip Hunt> (mic) I recall from Singapore there was agreement to produce a die die die spec for implicit
[15:44:40] <kaduk@jabber.org/barnowl> Can people say their names at the mic?  The audio stream is kind  of
lousy fidelity
[15:45:37] <Aaron Parecki> @Phillip that's essentially what the browser-based app BCP is supposed to do
[15:46:50] francesca joins the room
[15:46:56] <Phillip Hunt> Ben or Eric had asked if we were doing a die die die spec. The meeting consensus was definitely. I think we just did not follow up.
[15:47:35] <Phillip Hunt> We also agreed to do a spa bcp as well.
[15:48:08] <Justin Richer> :hand:
[15:48:15] <Justin Richer> (in favor of discouraging)
[15:48:16] <Aaron Parecki> :hand: +1 on discouraging password
[15:48:19] <Phillip Hunt> In favour of discourage
[15:49:04] <Phillip Hunt> correct= bangkok
[15:49:20] <Justin Richer> +1 in favor of soft discouragement of client auth
[15:49:46] <Phillip Hunt> please restate the call...
[15:49:59] <Aaron Parecki> please repeat things that are shouted in the room too
[15:50:18] <Phillip Hunt> In favour of crypto
[15:50:53] <Phillip Hunt> in favour
[15:50:54] <Aaron Parecki> +1 for PKCE for CSRF
[15:50:59] <Justin Richer> +1 for PKCE
[15:51:00] <Phillip Hunt> in favour of pkce that is
[15:51:28] <Justin Richer> +1 for S256
[15:51:35] <Aaron Parecki> +1 for S256
[15:51:51] <Justin Richer> Find them and hunt them down ....
[15:52:02] <Aaron Parecki> lol justin
[15:52:36] <Justin Richer> the only reason we have PKCE plain is because that's what Google's original implementation was and they didn't want to be caught with a "non recommended" or "non conformant" implementation out of the box, so we changed the spec for them to suit.
[15:53:00] <Roman Danyliw> Now on https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-sessa-jwt-introspection-response-00
[15:55:15] Steve Olshansky leaves the room
[15:56:54] Steve Olshansky joins the room
[15:57:11] <Roman Danyliw> Mark D
[15:58:19] <Roman Danyliw> Tony
[15:58:20] <Brian Campbell> IMHO, given where things are now, I think keeping this doc to be introspection only in scope is the right thing to do
[15:58:21] <Justin Richer> (mic) Well that's my point, we're doing point-solutions in parallel and shouldn't we just do one thing everywhere? I think the end state might be the same anyway though.
[15:58:35] <Roman Danyliw> @brian: want that at the mic?
[15:58:48] <Justin Richer> (that said I am not wanting to block this work going forward)
[15:58:49] <Brian Campbell> yes please
[15:59:19] <Justin Richer> thank you scribe
[15:59:41] <Brian Campbell> sorry, forgot to do the (mic) prefix thing
[16:00:07] <Roman Danyliw> NP
[16:01:15] <Phillip Hunt> Hmmm for scope as is
[16:01:24] <Brian Campbell> I'm not usually remote
[16:01:57] <Phillip Hunt> but when I am...
[16:02:22] <Justin Richer> you drink Dos Equis during the meeting?
[16:02:40] <Vittorio Bertocci> ...you are remote in production?
[16:02:58] <Justin Richer> Hi Eve!
[16:03:05] <Phillip Hunt> Dos Equis for breakfast! FTW!
[16:03:15] <Roman Danyliw> Now on ... https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-sessa-cross-party-delegation-with-uma-20-00
[16:03:27] <Justin Richer> Oh my gosh so many cameras, this is crazy. It's IETF of the future.
[16:04:26] <Ludwig Seitz> @Justin: The amazing thing is that Meetecho still works
[16:04:47] <Justin Richer> It's handling really well tbh
[16:04:57] <Ludwig Seitz> That's what I meant
[16:05:03] <Justin Richer> At least from my connection I have no problems
[16:05:07] <Justin Richer> I'm impressed
[16:12:20] <Eve Maler> These examples (sorry for small text) are taken directly from the specs, so you can read them there
[16:13:54] m&m joins the room
[16:16:22] <Roman Danyliw> at mic ... Tony Nadalin
[16:17:22] Bjorn Hjelm joins the room
[16:20:40] Lorenz Bischof joins the room
[16:21:46] Simon Bouget leaves the room
[16:22:16] Lorenz Bischof leaves the room
[16:23:00] Ludwig Seitz leaves the room
[16:23:07] Ludwig Seitz joins the room
[16:28:55] m&m leaves the room: Disconnected: No route to host
[16:30:00] francesca leaves the room
[16:32:26] <Roman Danyliw> at mic ... Tony N
[16:33:17] francesca joins the room
[16:38:11] <Justin Richer> (mic) In my view, UMA clients aren't "dumber" than Oauth clients so much as they are "dumb in a different way"
[16:38:29] <Eve Maler> Just reporting the feedback we gathered :-)
[16:38:42] <Justin Richer> (I think this is an important distinction -- they need to manage PCT's and other stuff)
[16:39:17] <Eve Maler> Good point
[16:39:34] Ali Rezaki leaves the room
[16:47:31] Ludwig Seitz leaves the room
[16:47:36] Steve Olshansky leaves the room: Replaced by new connection
[16:47:51] Steve Olshansky joins the room
[16:47:54] <Nancy Lush> Nancy remotely
[16:48:39] <Roman Danyliw> at mic ... John Bradley
[16:48:53] Steve Olshansky leaves the room
[16:49:48] metricamerica leaves the room
[16:50:02] <kaduk@jabber.org/barnowl> Sometimes we can publish an existing technology,
unchanged/interoperable, in the IETF stream as an Informational
document with the understanding that this effecuates transfer of
change control, and future IETF versions need not be compatible
[16:51:34] <Justin Richer> ^-- for historical notes that was what we did with Oauth 1
[16:52:50] <kaduk@jabber.org/barnowl> John carefully used "Individual Submission" as opposed to "Independent
Submission", which I appreciate
[16:53:18] <Brian Campbell> (mic) is this being contributed to ACE too then?
[16:56:38] Simon Pietro Romano joins the room
[16:56:57] patrick mourot leaves the room
[16:57:24] <Roman Danyliw> now presenting ... https://datatracker.ietf.org/meeting/104/materials/slides-104-oauth-sessa-jwt-profile-for-access-token-00
[16:57:42] Nancy Lush leaves the room
[17:09:48] <Justin Richer> (mic) There are some real privacy considerations in putting things like `sub` and `scope` into an access token, since not every RS is going to need that information and an access token can be used at many RS's. We addressed this issue in the HEART profiles in OIDF. The "no-PII" is a good start but if we take this in as a work item, then careful consideration of the consequences of putting things into the token is going to need to be a priority.
[17:10:27] <Justin Richer> I knew the document existed but haven't read the actual text yet :P
[17:12:11] <Roman Danyliw> @justin missed your comment, sorry
[17:12:27] <Roman Danyliw> done
[17:12:30] <Justin Richer> it's ok, I think Vittorio is in the chat and I'll bring it up during draft discussion
[17:12:37] <Maciej Machulak> Thanks!
[17:12:37] Meetecho leaves the room
[17:12:44] Aaron Parecki leaves the room
[17:12:44] Alec Laws leaves the room
[17:12:44] Satoru Kanno leaves the room
[17:12:44] Simon Pietro Romano leaves the room
[17:12:44] Brian Campbell leaves the room
[17:12:44] Justin Richer leaves the room
[17:12:44] Vittorio Bertocci leaves the room
[17:12:44] Phillip Hunt leaves the room
[17:12:44] Lorenzo Miniero leaves the room
[17:12:44] Petteri Stenius leaves the room
[17:12:44] Bjorn Hjelm leaves the room
[17:12:44] Eve Maler leaves the room
[17:12:44] Maciej Machulak leaves the room
[17:12:44] Domenico Catalano leaves the room
[17:14:25] francesca leaves the room
[17:14:25] Roman Danyliw leaves the room
[17:38:02] m&m joins the room
[20:51:23] Steve Olshansky joins the room
[21:17:36] Steve Olshansky leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!