Minutes IETF100: oauth
minutes-100-oauth-00
|
Meeting Minutes |
|
Web Authorization Protocol
(oauth) WG
|
Title |
|
Minutes IETF100: oauth |
State |
|
Active |
Other versions |
|
plain text
|
Last updated |
|
2017-12-12 |
Meeting Minutes
minutes-100-oauth
Web Authorization Protocol (OAuth)
==================================
Tuesday’s Agenda
----------------
** Chairs Update – 10 min
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-chairs-update/
NEW: OAuth Security Workshop 2018
** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-token-binding/
Leif: should be possible to constrain the issuer of certs in pki mode
Brian: implementers feedback - not easy to implement due to the data exposed by
the TLS layer Leif: at least add security consideration around potential
security considerations Torsten: we have some text regarding this attack in
section 6.2 - pls. give it a read Justin: can only be used with grant types
utilizing token endpoint, so what about implicit? John: we don’t believe
provisioning of certs into user browsers is desirable, token binding is the
better solution Justin: reasonable argument - please add text to the spec
clearing cutting this off Brian: only open comment right now about metadata for
mtls bound access tokens Hannes: What is the difference between this spec and
token binding (in particular given support for self-signed certificates)?
John/Torsten: self-signed certs are a lightweight replacement for client
authentication Dick: you should consider large cloud providers terminate TLS at
the load balancers, won’t potentially work there Justin: banks today use TLS
and mutual TLS, so from their perspective, this draft adds OAuth for TLS.
Hannes: Please add text about the difference into the document to make it clear
for the reader. WGLC will be issued in december after clarification.
Reviewers: Justin and Leif
** OAuth 2.0 Token Binding (30 min, Brian Campbell)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-mutual-tls-profile-for-oauth-20/
Reviewer: Mike
** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-authorization-server-discovery-metadata/
Mike to update the draft.
** JSON Web Token Best Current Practices – (15 min, Mike Jones)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-json-web-token-best-current-practices/
Brian to search for old comment regarding content type.
Chairs to ask for more reviewers on SAAG list.
Reviewer: Phil
** OAuth 2.0 Device Flow – (15 min, John Bradley)
Nat to compare his review comments with the proposed resolution. Ready for
another WGLC.
Reviewer: Torsten
** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)
Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
John: direct TLS connection to token endpoint, individual attestations already
signed wendy Privacy considerations? John: need to discuss dave: What prevents
one app from stealing an attestation from another app? John: depends on the
API, e.g. on Android it is Safety Net, draft depends on token binding for
replay prevention No one seemed to have read the document Tony: relationship to
token binding attestation? John: other level (TLS instead of App) Lucy:
reliability of data? How is the AS supposed to enforce a policy? John: low
level functions create attestation, the app just bundles this pieces and passes
them onto the AS Hannes: need to understand the architecture Torsten: need to
document architecture and trust model John: there is some implementation
experience, we need to get the vendor talk about it dave: what is the
signature? What key material?
5 persons are interested in this topic but nobody read the draft. Requires
expertise from the hardware community.
Wednesday’s Agenda
------------------
** OAuth Security Topics – (30 min, Torsten Lodderstedt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-security-topics/
Concerns over the document lifecycle. Solutions, such as the audience, may need
to be put into separate document. bcp can be updated if newer threats or
mitigations come in
A consensus call on the recommendations in document needs to be done on the list
Reviewers: Nat, Dick, Brian
** Mutual OAuth – (20 min, Dick Hardt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-mutual-oauth/
Questions and concern over consent. Presentation did not capture the consent
parts. Potential overlap with other work, such as token exchange.
Poll: 14 persons were in favor of working on this topic / 0 against
** Distributed OAuth – (20 min, Dick Hardt)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-distributed-oauth/
Overlap with prior work has been noted (e.g. UMA 2.0)
There is general WG interest in the topic.
** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials – (10 min,
Marco Tiloca)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-raw-public-key-and-preshared-key-as-oauth-client-credentials/
Justin: should we merge this with the mutual tls draft , resounding no from
most of room
** Public Identity Infrastructure for the Internet – (10 min, Vittorio Bertola)
https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-a-public-identity-infrastructure-for-the-internet/
Justin - Wanted to know why this would stop fragmentation or will help to
unify? There have been other adoption issues like web finger. Nat - already
looked at a dns based solution and was not practical Leif- overlap in openid
federation: how does the trust mechanism scale? DNS is a poor infrastructure to
build upon