Web Authorization Protocol (OAuth) TUESDAY, March 4, 2014 Time: 0900-1130 Room: Palace C Chairs: - Hannes Tschofenig - Derek Atkins Agenda: 1) Status Update (5min) No specific aspects to mention. 2) JSON Web Token (JWT) (15 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ Mike Jones, specification editor, has updated the specification to incorporate the remaining WGLC review comments. The reviewers will have to check whether their feedback has been addresses appropriately. The document is then ready to be forwarded to the IESG for publication but the completion will depend on the finalization of the work in the JOSE WG. The chairs will work on the shepherd write-up. The following persons reviewed the spec and need to double-check whether their feedback had been addressed: - Brian - Hannes - Prateek - James Manger 3) Assertion Documents (15 min) Brian Campbell https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ The group worked on the use of assertions for client authentication as well as an authorization grant type. The work is documented in three specifications (draft-ietf-oauth-assertions-14, draft-ietf-oauth-jwt-bearer-07, and draft-ietf-oauth-saml2-bearer-18). The assertion framework and the SAML bearer specification are completed and waiting for a publication request by the chairs. During the meeting we decided to put the third document, draft-ietf-oauth-jwt-bearer-07, forward to the IESG at the same time as the other two documents for easier readability. Since draft-ietf-oauth-jwt-bearer-07 depends on the completion of the JWT specification, and that furthermore depends on the work in the JOSE WG to complete there might be a little bit of delay. 4) Dynamic Registration (40 min) Justin Richer https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/ https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg-metadata/ https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg-management/ Work is getting close to completion because of the progress in the JOSE working group; time to do serious reviews. A large part of the time was used to discuss this topic. There are currently three document: - Core: draft-ietf-oauth-dyn-reg-16 - Meta-data: draft-ietf-oauth-dyn-reg-metadata-00 - Management: draft-ietf-oauth-dyn-reg-management-00 The core and meta-data was seen as rather uncontroversial but these two documents will require reviews and several persons volunteered. The management specification, however, raised questions. Concerns were raised about the maturity of the work and suggestions were to add text to the draft to highlight that it is only one possible solution. Changing the document to an Informational or Experimental document was also suggested. The chairs will schedule an informal discussion during this IETF week to get a better understanding of the software development lifecyle and the associated requirements for management of credentials and configuration parameters. 5) Security (60 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac/ https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/ The chairs presented a summary of the current state of the work for developing mechanisms that provide security properties beyond bearer tokens. The bearer token concept is described in RFC 6750. Currently, the solutions are documented in draft-ietf-oauth-v2-http-mac-05, and draft-tschofenig-oauth-hotk-03. Based on a discussion last Sunday morning the existing documents will be re-structured and the f2f meeting was used to solicit feedback. We hope to have text within the next few weeks so that those who are deploying solutions already today can be involved in the work. A charter and a milestone update will be necessary to accommodate for the document split.