Web Authorization Protocol (OAuth)
==================================

Tuesday’s Agenda
----------------

** Chairs Update – 10 min
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-chairs-update/

NEW: OAuth Security Workshop 2018 

** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-token-binding/

Leif: should be possible to constrain the issuer of certs in pki mode
Brian: implementers feedback - not easy to implement due to the data exposed by the TLS layer
Leif: at least add security consideration around potential security considerations
Torsten: we have some text regarding this attack in section 6.2 - pls. give it a read
Justin: can only be used with grant types utilizing token endpoint, so what about implicit?
John: we don’t believe provisioning of certs into user browsers is desirable, token binding is the better solution
Justin: reasonable argument - please add text to the spec clearing cutting this off
Brian: only open comment right now about metadata for mtls bound access tokens
Hannes: What is the difference between this spec and token binding (in particular given support for self-signed certificates)?
John/Torsten: self-signed certs are a lightweight replacement for client authentication
Dick: you should consider large cloud providers terminate TLS at the load balancers, won’t potentially work there
Justin: banks today use TLS and mutual TLS, so from their perspective, this draft adds OAuth for TLS.
Hannes: Please add text about the difference into the document to make it clear for the reader. 
WGLC will be issued in december after clarification.

Reviewers: Justin and Leif

** OAuth 2.0 Token Binding (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-mutual-tls-profile-for-oauth-20/

Reviewer: Mike

** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-authorization-server-discovery-metadata/

Mike to update the draft. 

** JSON Web Token Best Current Practices  – (15 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-json-web-token-best-current-practices/

Brian to search for old comment regarding content type. 
Chairs to ask for more reviewers on SAAG list. 

Reviewer: Phil

** OAuth 2.0 Device Flow – (15 min, John Bradley)

Nat to compare his review comments with the proposed resolution. Ready for another WGLC. 

Reviewer: Torsten

** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)

Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
John: direct TLS connection to token endpoint, individual attestations already signed
wendy Privacy considerations?
John: need to discuss
dave: What prevents one app from stealing an attestation from another app?
John: depends on the API, e.g. on Android it is Safety Net, draft depends on token binding for replay prevention
No one seemed to have read the document
Tony: relationship to token binding attestation?
John: other level (TLS instead of App)
Lucy: reliability of data? How is the AS supposed to enforce a policy?
John: low level functions create attestation, the app just bundles this pieces and passes them onto the AS
Hannes: need to understand the architecture
Torsten: need to document architecture and trust model
John: there is some implementation experience, we need to get the vendor talk about it
dave: what is the signature? What key material?

5 persons are interested in this topic but nobody read the draft. Requires expertise from the hardware community. 

Wednesday’s Agenda
------------------

** OAuth Security Topics – (30 min, Torsten Lodderstedt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-security-topics/

Concerns over the document lifecycle. Solutions, such as the audience, may need to be put into separate document. 
bcp can be updated if newer threats or mitigations come in

A consensus call on the recommendations in document needs to be done on the list 

Reviewers: Nat, Dick, Brian

** Mutual OAuth – (20 min, Dick Hardt) 
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-mutual-oauth/

Questions and concern over consent. Presentation did not capture the consent parts. 
Potential overlap with other work, such as token exchange. 

Poll: 14 persons were in favor of working on this topic / 0 against
	
** Distributed OAuth – (20 min, Dick Hardt) 
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-distributed-oauth/

Overlap with prior work has been noted (e.g. UMA 2.0)

There is general WG interest in the topic. 
 
** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials – (10 min, Marco Tiloca) 
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-raw-public-key-and-preshared-key-as-oauth-client-credentials/

Justin: should we merge this with the mutual tls draft , resounding no from most of room

** Public Identity Infrastructure for the Internet – (10 min, Vittorio Bertola) 
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-a-public-identity-infrastructure-for-the-internet/

Justin -  Wanted to know why this would stop fragmentation or will help to unify? There have been other adoption issues like web finger.
Nat - already looked at a dns based solution and was not practical 
Leif- overlap in openid federation: how does the trust mechanism scale? DNS is a poor infrastructure to build upon