1. Opening - Chairs - 14:10-14:20 New chairs, thanks to Dick for his work as BOF chair. 2. XAuth progress - Dick - 14:20-14:40 [JR] the callback negotiation portion is not in contrast to XYZ. 3. XYZ progress - Justin - 14:40-15:00 Details at https://oauth.xyz/ including source code. Jumps into Continuation Structure. Open question: can we manage access tokens and grants with access tokens. 4. Protocol comparison - Kathleen - 15:00-15:30 [JR]: @Yoav QUIC didn't start as being called HTTP/3, that came a lot later with coordination from the HTTP WG. Nothing would stop us from doing that here too if we wanted, in the future. New WG is because OAuth WG is also still doing a lot of work today. [YN]: @Justin Understood. Here it looks like we're revving OAuth right from the start Recommendation: adopt XYZ as a WG draft, but merge in XAuth diagrams, articulate the request/response requirements more clearly as is done in XAuth 5. Discussion and next steps - Chairs - 15:30-15:50 Questions/comments to Kathleen: [JR] Thanks everyone. XYZ is not yet a complete solution, there is a lot more that it could do. Tried to be clear about places where there are gaps, and 1/3 is editor's notes. If we decide to start with XYZ document, then I very much want to refine that as we go. [MCR]: would you say that we need to have JWT everywhere, or what? [KM]: both seem to use JWT where it works, but in some cases resort to HMAC. [Dick]: in the one place where XYZ uses HMAC directly, I didn't think XAuth needed anything there. Discussion about HMAC vs KMAC vs (c)SHAKE in jabber. Discussion about how ACE might need updating based upon the work that we are contemplating. [JR]: thinks that it can be easily translated to CoAP/CBOR/COSE, because we should sticking to HTTP/JSON/JOSE correctly. Should avoid sins of the past, which is deeply abstracted from one real protocol. [more was said] [CB]: similar to what JR said. Look at the problem before we throw the baby out with the bathwater. There are some bug fixes in COSE which are not in JOSE. Let's start with this now. [LJ]: Hum about what we have on the table? [RD]: compared, but then recommended A<-B, or B<-A, or make a new C. [MJ]: on the txauth list there has been many threads about how to handle identity claims. XAuth did a better job of handling those claims than XYZ did. Note that the charter said that we weren't going to be new identity schemas, so on that basis, I would start with XAuth. Otherwise, I would lift the identity stuff from XAuth to XYZ. And make Dick co-author. Roman asks what the WG needs to make a decision? [LJ]: another option we could talk about is put together a DT? [DH]: agrees, and invites RH [JR]: agrees to join, but is not sure. [LJ]: let's empty the queue. [BM]: talks about his DRIP use case. [JR]: garbled. Kathleen Moriarty: Please do consider readability and don't merge the styles. Mike Jones: I was asking to graft in some features - not change styles Kathleen Moriarty: Great, that's what I was hoping for Leif Johansson: yeah we're out of time Marc Blanchet: RDAP (in regext) has a draft using oauth and openid connect for authorization. I highly suggest that you contact the author (Scott Hollenbeck) as it could be a good use case for gnap. Justin Richer: @Mike Yes, I agree that it would be fairly easy to graft in XAuth features to XYZ as Kathleen suggested. Mike Jones: All I was going to say was that if there's a design team, I'm willing to participate YS: will move forward with a small DT with a limited timeline with a high-level proposal on how to combine the existing proposals. [RD]: good plan and pin an interim meeting [MJ]: if there is a DT, I will participate JR = Justin Richer YN = Yoav Nir YS = Yaron Sheffer CB = Carsten Bormann MJ = Mike Jones DH = Dick Hardt LJ = Leif