IETF
oauth@jabber.ietf.org
Thursday, March 28, 2019< ^ >
m&m has set the subject to: OAUTH at IETF103 https://datatracker.ietf.org/meeting/103/session/oauth
Room Configuration
Room Occupants

GMT+0
[07:47:26] Meetecho joins the room
[07:54:02] Ludwig joins the room
[07:55:35] Steve Olshansky joins the room
[07:56:17] Ludwig has set the subject to: OAUTH at IETF104 https://datatracker.ietf.org/meeting/104/session/oauth
[07:58:09] Petteri Stenius joins the room
[07:58:44] Justin Richer joins the room
[07:59:13] Steve Olshansky leaves the room: Replaced by new connection
[07:59:32] Steve Olshansky joins the room
[08:00:52] Bjorn Hjelm joins the room
[08:01:04] Brian Campbell joins the room
[08:03:05] <Ludwig> Hello, I'm going to be your Jabber scribe. If you want me to relay your comments to the microphone please prefix them with "mic:"
[08:04:52] kaduk@jabber.org/barnowl joins the room
[08:12:22] Brian Campbell leaves the room
[08:12:22] Brian Campbell joins the room
[08:15:41] <Justin Richer> mic: We should mention things like SPA-with-proxy-backend apps and generally put them out of scope. Specifically, this draft should only deal with things that see the OAuth tokens inside the browser, but we can't ignore that people follow other patterns, and we want to steer them in the right direction.
[08:16:38] <Justin Richer> Namely, those should usually use cookies between the browser and backend, and not OAuth in the browser.
[08:20:30] <Justin Richer> mic: Torsten and I don't actually disagree I think -- I'm saying talk about it and put it in the right scope. "Not Covering It" and "Not Mentioning It At All" are two different things. I think we should mention it and not cover it -- like what John is saying.
[08:23:05] <Justin Richer> people in the room need to use the mic
[08:23:44] <Ludwig> John was just wondering whether you really agreed with him
[08:24:18] <Justin Richer> Ah. Yeah, for the most part, I think. It's hard to follow at 4am :P
[08:24:53] <Ludwig> He seemed incredoulus at the concept of you agreeing with him
[08:25:43] <Justin Richer> 🤷‍♀️
[08:29:51] <kaduk@jabber.org/barnowl> [I can't fully follow the audio stream due to distractions in the room
for the MLS session; if someone can call out here when we are
switching to the PoP key distribution topic I'd appreciate it]
[08:30:02] <Justin Richer> +1
[08:30:23] <Justin Richer> @kaduk will try to do so
[08:30:43] <Ludwig> I can do that, that's the topic I'm here for
[08:31:06] Brian Campbell leaves the room
[08:31:08] Brian Campbell joins the room
[08:32:07] <Justin Richer> mic: I don't remember someone saying that in the session but I think they're wrong.
[08:32:37] Brian Campbell leaves the room
[08:32:39] Brian Campbell joins the room
[08:33:34] Steve Olshansky leaves the room: Replaced by new connection
[08:33:52] Steve Olshansky joins the room
[08:34:06] <Bjorn Hjelm> +1
[08:34:26] <Justin Richer> Thanks, Ludwig :)
[08:36:43] Masaki Kase joins the room
[08:40:36] <Justin Richer> mic: Yes. Burn it.
[08:43:24] Jaromír Talíř joins the room
[08:46:53] Steve Olshansky leaves the room
[08:46:56] <Ludwig> PoP is up
[08:47:11] <Justin Richer> @Ben we're talking PoP now
[08:47:54] <kaduk@jabber.org/barnowl> Thanks -- I made it :)
[08:51:31] <Justin Richer> mic: This draft is only a half-solution. It doesn't do us any good without a presentation mechanism, like the HTTP Signing draft that this group has never had an appetite for (apart from Mike's recent review, thanks for that btw)
[08:52:31] <kaduk@jabber.org/barnowl> Justin: have you seen any of the discussion in recent weeks about
"canonical json" (and the use case of signing HTTP requests with the
signature in a header)?
[08:54:19] <Justin Richer> I've been following that, yes. That's only good for signing the body if the body is JSON -- doesn't help with GET/DELETE or protecting the URLs.
[08:54:30] <Justin Richer> or form posts or XML or ....
[08:54:55] <Justin Richer> Unless I missed something there?
[08:55:35] <kaduk@jabber.org/barnowl> I haven't been following closely enough to refute that, and in fact
think you are probably correct about it
[08:56:46] Steve Olshansky joins the room
[08:57:36] <Justin Richer> +1 to annabelle
[08:59:53] Steve Olshansky leaves the room
[09:01:40] <Justin Richer> mic: isn't that enabling a man-in-the-middle that we can't prove? And do we want to do that?
[09:06:05] Elias Summermatter joins the room
[09:20:51] Brian Campbell leaves the room
[09:20:53] Brian Campbell joins the room
[09:21:53] Brian Campbell leaves the room
[09:21:56] Brian Campbell joins the room
[09:29:39] Petteri Stenius leaves the room
[09:31:11] equalsjeffh joins the room
[09:31:30] Petteri Stenius joins the room
[09:33:41] Brian Campbell leaves the room
[09:33:46] Meetecho leaves the room
[09:33:48] Jaromír Talíř leaves the room
[09:33:48] Petteri Stenius leaves the room
[09:33:48] Justin Richer leaves the room
[09:33:48] Elias Summermatter leaves the room
[09:33:48] Bjorn Hjelm leaves the room
[09:33:48] Masaki Kase leaves the room
[09:38:16] Ludwig leaves the room: Machine going to sleep
[09:41:22] equalsjeffh leaves the room
[09:41:29] equalsjeffh joins the room
[09:47:52] Ludwig joins the room
[09:50:41] kaduk@jabber.org/barnowl leaves the room
[10:06:41] equalsjeffh leaves the room
[12:12:36] Ludwig leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!