Minutes IETF100: oauth
minutes-100-oauth-00

Web Authorization Protocol (OAuth)
==================================

Tuesday’s Agenda
----------------

** Chairs Update – 10 min
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-chairs-update/

NEW: OAuth Security Workshop 2018

** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-token-binding/

Leif: should be possible to constrain the issuer of certs in pki mode
Brian: implementers feedback - not easy to implement due to the data exposed by
the TLS layer Leif: at least add security consideration around potential
security considerations Torsten: we have some text regarding this attack in
section 6.2 - pls. give it a read Justin: can only be used with grant types
utilizing token endpoint, so what about implicit? John: we don’t believe
provisioning of certs into user browsers is desirable, token binding is the
better solution Justin: reasonable argument - please add text to the spec
clearing cutting this off Brian: only open comment right now about metadata for
mtls bound access tokens Hannes: What is the difference between this spec and
token binding (in particular given support for self-signed certificates)?
John/Torsten: self-signed certs are a lightweight replacement for client
authentication Dick: you should consider large cloud providers terminate TLS at
the load balancers, won’t potentially work there Justin: banks today use TLS
and mutual TLS, so from their perspective, this draft adds OAuth for TLS.
Hannes: Please add text about the difference into the document to make it clear
for the reader. WGLC will be issued in december after clarification.

Reviewers: Justin and Leif

** OAuth 2.0 Token Binding (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-mutual-tls-profile-for-oauth-20/

Reviewer: Mike

** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-authorization-server-discovery-metadata/

Mike to update the draft.

** JSON Web Token Best Current Practices  – (15 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-json-web-token-best-current-practices/

Brian to search for old comment regarding content type.
Chairs to ask for more reviewers on SAAG list.

Reviewer: Phil

** OAuth 2.0 Device Flow – (15 min, John Bradley)

Nat to compare his review comments with the proposed resolution. Ready for
another WGLC.

Reviewer: Torsten

** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)

Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
John: direct TLS connection to token endpoint, individual attestations already
signed wendy Privacy considerations? John: need to discuss dave: What prevents
one app from stealing an attestation from another app? John: depends on the
API, e.g. on Android it is Safety Net, draft depends on token binding for
replay prevention No one seemed to have read the document Tony: relationship to
token binding attestation? John: other level (TLS instead of App) Lucy:
reliability of data? How is the AS supposed to enforce a policy? John: low
level functions create attestation, the app just bundles this pieces and passes
them onto the AS Hannes: need to understand the architecture Torsten: need to
document architecture and trust model John: there is some implementation
experience, we need to get the vendor talk about it dave: what is the
signature? What key material?

5 persons are interested in this topic but nobody read the draft. Requires
expertise from the hardware community.

Wednesday’s Agenda
------------------

** OAuth Security Topics – (30 min, Torsten Lodderstedt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-security-topics/

Concerns over the document lifecycle. Solutions, such as the audience, may need
to be put into separate document. bcp can be updated if newer threats or
mitigations come in

A consensus call on the recommendations in document needs to be done on the list

Reviewers: Nat, Dick, Brian

** Mutual OAuth – (20 min, Dick Hardt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-mutual-oauth/

Questions and concern over consent. Presentation did not capture the consent
parts. Potential overlap with other work, such as token exchange.

Poll: 14 persons were in favor of working on this topic / 0 against

** Distributed OAuth – (20 min, Dick Hardt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-distributed-oauth/

Overlap with prior work has been noted (e.g. UMA 2.0)

There is general WG interest in the topic.

** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials – (10 min,
Marco Tiloca)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-raw-public-key-and-preshared-key-as-oauth-client-credentials/

Justin: should we merge this with the mutual tls draft , resounding no from
most of room

** Public Identity Infrastructure for the Internet – (10 min, Vittorio Bertola)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-a-public-identity-infrastructure-for-the-internet/

Justin -  Wanted to know why this would stop fragmentation or will help to
unify? There have been other adoption issues like web finger. Nat - already
looked at a dns based solution and was not practical Leif- overlap in openid
federation: how does the trust mechanism scale? DNS is a poor infrastructure to
build upon