Minutes IETF100: oauth
minutes-100-oauth-00
Meeting Minutes | Web Authorization Protocol (oauth) WG | |
---|---|---|
Date and time | 2017-11-15 07:20 | |
Title | Minutes IETF100: oauth | |
State | Active | |
Other versions | plain text | |
Last updated | 2017-12-12 |
minutes-100-oauth-00
Web Authorization Protocol (OAuth) ================================== Tuesday’s Agenda ---------------- ** Chairs Update – 10 min https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-chairs-update/ NEW: OAuth Security Workshop 2018 ** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-token-binding/ Leif: should be possible to constrain the issuer of certs in pki mode Brian: implementers feedback - not easy to implement due to the data exposed by the TLS layer Leif: at least add security consideration around potential security considerations Torsten: we have some text regarding this attack in section 6.2 - pls. give it a read Justin: can only be used with grant types utilizing token endpoint, so what about implicit? John: we don’t believe provisioning of certs into user browsers is desirable, token binding is the better solution Justin: reasonable argument - please add text to the spec clearing cutting this off Brian: only open comment right now about metadata for mtls bound access tokens Hannes: What is the difference between this spec and token binding (in particular given support for self-signed certificates)? John/Torsten: self-signed certs are a lightweight replacement for client authentication Dick: you should consider large cloud providers terminate TLS at the load balancers, won’t potentially work there Justin: banks today use TLS and mutual TLS, so from their perspective, this draft adds OAuth for TLS. Hannes: Please add text about the difference into the document to make it clear for the reader. WGLC will be issued in december after clarification. Reviewers: Justin and Leif ** OAuth 2.0 Token Binding (30 min, Brian Campbell) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-mutual-tls-profile-for-oauth-20/ Reviewer: Mike ** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-oauth-20-authorization-server-discovery-metadata/ Mike to update the draft. ** JSON Web Token Best Current Practices – (15 min, Mike Jones) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessb-json-web-token-best-current-practices/ Brian to search for old comment regarding content type. Chairs to ask for more reviewers on SAAG list. Reviewer: Phil ** OAuth 2.0 Device Flow – (15 min, John Bradley) Nat to compare his review comments with the proposed resolution. Ready for another WGLC. Reviewer: Torsten ** OAuth 2.0 Device Posture Signals – (15 min, John Bradley) Hannes: seem to make a lot of assumptions, e.g. regarding attestation? John: direct TLS connection to token endpoint, individual attestations already signed wendy Privacy considerations? John: need to discuss dave: What prevents one app from stealing an attestation from another app? John: depends on the API, e.g. on Android it is Safety Net, draft depends on token binding for replay prevention No one seemed to have read the document Tony: relationship to token binding attestation? John: other level (TLS instead of App) Lucy: reliability of data? How is the AS supposed to enforce a policy? John: low level functions create attestation, the app just bundles this pieces and passes them onto the AS Hannes: need to understand the architecture Torsten: need to document architecture and trust model John: there is some implementation experience, we need to get the vendor talk about it dave: what is the signature? What key material? 5 persons are interested in this topic but nobody read the draft. Requires expertise from the hardware community. Wednesday’s Agenda ------------------ ** OAuth Security Topics – (30 min, Torsten Lodderstedt) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-security-topics/ Concerns over the document lifecycle. Solutions, such as the audience, may need to be put into separate document. bcp can be updated if newer threats or mitigations come in A consensus call on the recommendations in document needs to be done on the list Reviewers: Nat, Dick, Brian ** Mutual OAuth – (20 min, Dick Hardt) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-mutual-oauth/ Questions and concern over consent. Presentation did not capture the consent parts. Potential overlap with other work, such as token exchange. Poll: 14 persons were in favor of working on this topic / 0 against ** Distributed OAuth – (20 min, Dick Hardt) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-distributed-oauth/ Overlap with prior work has been noted (e.g. UMA 2.0) There is general WG interest in the topic. ** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials – (10 min, Marco Tiloca) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-raw-public-key-and-preshared-key-as-oauth-client-credentials/ Justin: should we merge this with the mutual tls draft , resounding no from most of room ** Public Identity Infrastructure for the Internet – (10 min, Vittorio Bertola) https://datatracker.ietf.org/meeting/100/materials/slides-100-oauth-sessa-a-public-identity-infrastructure-for-the-internet/ Justin - Wanted to know why this would stop fragmentation or will help to unify? There have been other adoption issues like web finger. Nat - already looked at a dns based solution and was not practical Leif- overlap in openid federation: how does the trust mechanism scale? DNS is a poor infrastructure to build upon