[18:20:11] mccreary joins the room [18:40:42] mccreary leaves the room [18:41:53] stfnruffini joins the room [18:42:02] stfnruffini leaves the room [19:41:05] mccreary joins the room [19:54:17] mccreary leaves the room [19:55:31] Alan DeKok joins the room [19:55:51] Eran Hammer-Lahav joins the room [19:56:02] gr.rastogi joins the room [19:56:24] gaurav.rastogi@adobe.com [19:56:27] gr.rastogi leaves the room [19:56:38] gr.rastogi joins the room [19:58:08] mccreary joins the room [19:58:33] =JeffH joins the room [19:58:52] fenton joins the room [20:00:43] sm joins the room [20:01:57] gr.rastogi leaves the room [20:03:53] Patrik Wallström joins the room [20:04:36] <=JeffH> so is this chatroom gatewayed with the webex chatroom ? [20:04:48] <=JeffH> (i guess not) [20:05:18] tlyu joins the room [20:05:27] Dave Thaler joins the room [20:05:32] =JeffH i think that's something for the tools folks to address down the road [20:05:33] richard.barnes joins the room [20:05:33] sm leaves the room [20:05:46] David recordon: brief intro [20:05:54] <=JeffH> David Recordan has the floor [20:06:00] Blaine Cook joins the room [20:06:10] buckeyeskeeve joins the room [20:06:11] <=JeffH> OAuth 1.0 history, legends, bodies in closets.... [20:06:33] sm joins the room [20:06:37] (cc'd from the webex chat) I'm going to be relatively quiet as I have a head cold, so I'll leave my mic mostly muted to avoid spontaneous sneezes interrupting things. ;) [20:06:42] eburger joins the room [20:06:57] <=JeffH> slide 2 of 5, quoting blain cook circa 2007 [20:07:29] <=JeffH> slide 3 of 5 quoting Chris Messina circa 2007 [20:07:36] Alan DeKok leaves the room [20:08:22] Alan DeKok joins the room [20:08:23] cw-ietf joins the room [20:08:45] cw-ietf leaves the room [20:08:56] <=JeffH> slide 5 of 5 oauth spec timeline [20:10:28] <=JeffH> question at mic: what do you mean by APIs exactly [20:10:49] <=JeffH> daveman: focussing on http, not other methods [20:11:17] <=JeffH> stpeter (psa): [20:11:18] Anil SRIVASTAVA joins the room [20:11:22] richard.barnes leaves the room [20:11:27] mccreary leaves the room [20:11:46] <=JeffH> oauth wg chartered to do revisions to orig oauth 1.0 [20:11:55] mccreary joins the room [20:12:02] <=JeffH> Dick Hardt et al have done "WRAP" [20:12:18] Karen O'Donoghue joins the room [20:12:19] <=JeffH> have had interim concalls to try to figure out what we want to see from WG [20:12:24] richard.barnes joins the room [20:12:27] David Recordon joins the room [20:12:38] <=JeffH> we didn't get a I-D sub'd before I-D deadline [20:12:40] afternoon' [20:13:59] <=JeffH> DickHardt (dh) preso "oauth wrap overview" [20:14:10] <=JeffH> msft has deployed oauth wrap spec [20:14:17] <=JeffH> googles working on deploying [20:14:30] <=JeffH> will talk about use cases that oauth 1.0 didn't address [20:14:41] <=JeffH> slide 2 name history [20:14:47] stpeter joins the room [20:15:33] <=JeffH> slide 3 collaborators [20:15:39] <=JeffH> slide 4 oauth 1.0a issues [20:15:48] Dan joins the room [20:16:26] <=JeffH> slide 5 use caseis [20:16:50] <=JeffH> slide six - cloud use case [20:17:38] lynch joins the room [20:17:58] <=JeffH> slide 7 accessing a protected resource (PR) [20:18:28] <=JeffH> slide 8 obtaining refresh token [20:18:43] <=JeffH> slide 9 refreshing access token [20:18:55] <=JeffH> slide 10 terminology [20:19:41] <=JeffH> slide 11 access token [20:19:57] <=JeffH> SWT is one way to do a token (msft doing that) [20:20:06] <=JeffH> swt = simple web token [20:20:11] <=JeffH> separate spec [20:20:21] <=JeffH> slide 12 refresh token [20:20:31] <=JeffH> slide 13 wrap capabilities [20:21:10] <=JeffH> slide 14 potential future [20:21:11] buckeyeskeeve leaves the room: Replaced by new connection [20:21:12] buckeyeskeeve joins the room [20:21:44] Lisa joins the room [20:23:11] Alan DeKok leaves the room [20:24:26] <=JeffH> mic Jim Fenton (jf) since ietf is wanting to come up wtih interop impls how do we do that w/o token spec ? [20:24:51] <=JeffH> dh: deployer specific, but there could be a std token format [20:25:34] <=JeffH> hannes: even if token is spec'd then there still may be interop issues [20:25:46] Melinda joins the room [20:25:50] <=JeffH> jf: we need to define whaqt "interop" means in this context [20:26:22] <=JeffH> jf: i don't see a binding btwn the things going thru ssl and ssl itself, and how you will avoid mitm attacks? [20:26:40] <=JeffH> derek atkins: the former is channel bindings [20:27:09] Alan DeKok joins the room [20:27:12] <=JeffH> derek atkins (da): this looks like kerberos -- it has similar terminology and flows, why not just using krb? [20:28:07] <=JeffH> hannes et al: you're rebooting the wg with that question [20:28:15] <=JeffH> da: yes, but so is introducing wrap [20:28:33] <=JeffH> ?: wondering about key distribution problems [20:28:49] <=JeffH> eric rescorla (ekr): why did u make the tokens bearer? [20:28:56] sftcd joins the room [20:28:56] <=JeffH> u make things worse [20:29:03] <=JeffH> dh: why is it problem [20:29:21] <=JeffH> ekr: [20:29:22] heard from Messina that he can't really hear much over the phone. are others having that problem too? [20:29:37] <=JeffH> dh: reasons want to do this [20:29:37] Eran Hammer-Lahav leaves the room [20:29:52] Eran Hammer-Lahav joins the room [20:29:55] <=JeffH> ekr: those are why u want to, not how u dieal with downsides [20:30:02] <=JeffH> cookies are an issue [20:30:23] <=JeffH> dh: signing was/is a problem for those impl'g oauth [20:30:32] tlyu leaves the room: Replaced by new connection [20:30:32] tlyu joins the room [20:30:36] <=JeffH> plaxo has to talk directly with google [20:30:56] Karen O'Donoghue leaves the room: Replaced by new connection [20:30:57] Karen O'Donoghue joins the room [20:31:26] <=JeffH> joe smarr @mic: lots of folks have trouble implementing it, oauth is so new, isn't sedimented as yet, folks rolling their own, subpar libraries [20:32:08] <=JeffH> gee, since most of thiese sites are using cookies anyway, why not just be pragmatic and get it to work and ease developers pain? [20:32:34] <=JeffH> brian eaton: agree with Joesph, this is improvement over sharing usernames passwords [20:33:08] <=JeffH> oauth 1 trieds to do integirty stuff at app level [20:33:34] <=JeffH> need bearer tokens well-struictured, swt, jwt, saml [20:33:47] <=JeffH> ekr: just re-inventing prior problems [20:34:00] mccreary leaves the room [20:34:38] martin.thomson joins the room [20:34:49] mccreary joins the room [20:35:45] <=JeffH> dh: was more looking for comments on whether starting with wrap and moving forward with folding in oauth stuff into that spec might be a way forward [20:35:50] <=JeffH> [20:36:16] <=JeffH> david recordan (dr) has floor [20:36:23] <=JeffH> facebook has "shipped" wrap [20:36:49] <=JeffH> on friendfeed [20:37:05] <=JeffH> took impl to make a request from 100 lines to 4 lines [20:37:13] <=JeffH> yes need to use tls correctly [20:37:32] <=JeffH> trade off with what it takes to get message signatures to work correctly [20:38:13] <=JeffH> [will be talking about new oauth-2.0 I-D (not formally submi9tted yet) [20:38:17] <=JeffH> ] [20:38:41] <=JeffH> how many have hooked up netflix on your tivo? [20:38:46] Dan leaves the room: Computer went to sleep [20:39:04] <=JeffH> device shows a code, u enter it on your computer -- there's a profile for that in the I-D [20:39:10] Karen O'Donoghue leaves the room [20:39:14] <=JeffH> requires using TLS w/bearer tokens [20:39:26] <=JeffH> tries to make that the default approach [20:39:35] <=JeffH> also docs signatures if you want to do that [20:39:43] <=JeffH> draft has signature use cases [20:39:54] <=JeffH> one where don't want/cant use TLS [20:40:14] <=JeffH> EveMaler: 3d usecase more meaningful ident of client [20:40:42] <=JeffH> 2nd: ssl is pt-to-pt, intermediaries mess up sec model [20:41:04] <=JeffH> any questions? [20:41:09] <=JeffH> [20:41:18] I think maybe lack of questions is due to lack of time to read it [20:41:30] Patrik Wallström leaves the room [20:41:34] @sftcd: +1 [20:41:36] Patrik Wallström joins the room [20:41:36] When a draft comes out this late, you shouldn't expect comments [20:41:38] hildjj joins the room [20:42:00] but the table of contents looks promising [20:42:44] yeah, sorry it was so late. it really does meld together 1.0a and WRAP so the ideas should be understandable if you understand those drafts [20:42:59] stpeter leaves the room: Disconnected: Replaced by new connection [20:42:59] stpeter joins the room [20:43:02] <=JeffH> hannes: from what is in this doc, what is in orig spec, question is what do we put in base doc and what do we put in extension docs that address more sophisticated use cases [20:43:31] <=JeffH> igor: tls along doesn't address all sec issues, eg if token "leaks" then can be re-used unless protected on its own [20:43:41] <=JeffH> will 2.0 be compat with 1.0 ? i [20:44:19] <=JeffH> hannes: you are advocating use cases that req more protect that others desire/need [20:45:00] <=JeffH> current draft on screen (recordans) removed the public key signature mech, does that make sense? [20:45:42] <=JeffH> dr: wrt bkwards compat -- low oauth 1 deployemnt, can break bkwards compat [20:45:50] hildjj leaves the room: Disconnected. [20:46:11] <=JeffH> richard barnes (rb): don't see in this draft how delegation works -- is it in there? [20:46:38] <=JeffH> dr: delegation, raffi from twitter has written up how to do with oauth1, not yet done with this or WRAP [20:47:03] Karen O'Donoghue joins the room [20:47:48] <=JeffH> dr: all this broken apart in this spec, you can create it [20:47:54] http://mehack.com/oauth-echo-delegation-in-identity-verificatio [20:48:33] <=JeffH> mic ?: are all these diff mechs mandatory or are any optional? [20:49:13] <=JeffH> dr: its in the draft what's req'd, must impl one of the flows and TLS [20:49:16] <=JeffH> at least [20:49:22] =JeffH: I'm not sure who that was at the mic [20:49:39] <=JeffH> ?: any way to signal what you support to other party? [20:49:56] <=JeffH> dr: no, but that being discussed in other contexts, perhaps can leverage it [20:50:07] <=JeffH> (outta scope of this group?) [20:50:40] <=JeffH> psa (chair): will this hybrid approach address use cases folks have? hoping to get that out of discussion today [20:51:30] Leif: we need some kind of channel binding [20:51:37] <=JeffH> leif johansson: need channel binding [20:51:53] <=JeffH> ekr: but that is against whole point of design not to do any crypto [20:52:21] Anil SRIVASTAVA leaves the room [20:52:24] <=JeffH> brian eaton: wrt channel bind, if access tok must be presented with client cert -- that ok? [20:52:53] <=JeffH> leif: there're two tls channel binding approaches and in RFC -- can look at that [20:53:03] Patrik Wallström leaves the room [20:53:09] Patrik Wallström joins the room [20:53:23] <=JeffH> brian eaton: if token leaks, damage is minimal [20:53:48] davem joins the room [20:53:52] <=JeffH> ekr: at that point...... (ekr too fast) [20:54:07] <=JeffH> ?: wud draft dupport re-delegation? [20:54:11] http://tools.ietf.org/html/draft-vrancken-oauth-redelegation-01 [20:54:25] <=JeffH> psa: speaker has draft on redelegatrion, will post link to chatroom [20:54:41] cw-ietf joins the room [20:54:46] =JeffH: that was Zachary Zeltsan [20:55:03] <=JeffH> (speaker way back up at beginning was igor faynberg) [20:55:11] <=JeffH> thx stpeter [20:55:18] <=JeffH> hows' the gates today? [20:55:39] <=JeffH> psa: need someone to step to edit a scenaios draft [20:56:35] <=JeffH> joesph smarr: redelegation case can be an issue in actual deployments (twitpic e.g.); emperically we need to have an answer for this [20:56:57] <=JeffH> hannes: we have lots dicussions on how we scope initial work -- can this be later work? [20:57:19] <=JeffH> js: have to convince there's there there -- ie make allowances for it and a way to do it in future [20:57:34] <=JeffH> pswd sharing handles re-delegation, but oauth today doesn't address it [20:58:02] <=JeffH> psa: so look at aachary's draft and see if it meshes with DR's I-D [20:58:30] tlyu leaves the room: Disconnected [20:59:17] <=JeffH> hannes: had fairly long use case discussions -hoped for use case reqs -- but haven't really gotten that [20:59:30] <=JeffH> e.g. Eve's use case docs from UMA ? [21:00:02] tlyu joins the room [21:00:07] <=JeffH> Eve Maler (em): uma use case explanation [21:00:45] <=JeffH> UMA in kantara initiative [21:00:54] <=JeffH> hannes: pls past url in here [21:01:09] mccreary leaves the room [21:01:27] <=JeffH> oauth is protecting apis [21:01:28] mccreary joins the room [21:01:46] <=JeffH> uma is agnostic wrt what the resource is, eg could be more fine-grained [21:02:30] <=JeffH> http://kantarainitiative.org/confluence/display/uma/UMA+Explained [21:02:42] URL for UMA webpage? [21:02:51] thanks Jeff [21:02:55] <=JeffH> yes [21:02:55] markus.isomaki joins the room [21:02:57] <=JeffH> welcome [21:04:04] <=JeffH> http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases [21:04:46] <=JeffH> Use Case: Protecting Health Data and Metadata (Pending) [21:05:10] <=JeffH> hannes: how do these use cases impact use cases ? [21:05:18] <=JeffH> impact sec mechs (sorry) [21:05:43] Alan DeKok leaves the room [21:05:43] <=JeffH> what do you need to put in tokens to create this? [21:05:58] Karen O'Donoghue leaves the room: Replaced by new connection [21:05:58] <=JeffH> em: yes, haven't worked this down to that level yet [21:06:04] Karen O'Donoghue joins the room [21:06:18] <=JeffH> [giives turbo tax example] [21:06:41] <=JeffH> hannes: two topics: channel binding, and how does this relate to kerberos [21:07:00] is there any real probability that OAuth developers will actually use kerberos? [21:07:18] @sftcd no [21:07:29] then isn't that the answer? [21:07:30] <=JeffH> brian: looks like krb because all trusted 3d party authn schemes look kinda like krb [21:08:19] mccreary leaves the room [21:08:31] or is the real question "should OAuth be as good as Kerberos?" [21:08:43] <=JeffH> alexey (as individ): issue you will be running into is you'll have to re-invent all the things krb had to address [21:08:55] @sftcd was thinking the same thing :) [21:09:06] <=JeffH> maybe u just need a diff format of krb ticket that's more suitable for your app? [21:09:47] <=JeffH> scott cantor (sc): you can ask krb/saml here, but will folks use krb to do these things? no. use saml? no. [21:10:08] <=JeffH> so will have to be a market for solns that will fail or succeed on their own merits [21:11:01] <=JeffH> if oauth folk are going to re-invent all the stuff the others have addressed -- then pls do it cognizantly rather than in a vacuum [21:11:21] Igor: I don't think we need a session key here (which is what krb does) [21:11:22] <=JeffH> igor: krb estab a session key for two parties, don' [21:11:36] <=JeffH> t need that herre, but krb has varous facets that can be re-used [21:11:38] Justin Smith at the mic [21:11:48] js: this is just the sts pattern [21:11:58] <=JeffH> justin smith: this is just STS pattern (security token service of WS-*) [21:12:56] <=JeffH> so we shud just move forward [21:14:01] <=JeffH> eran (ehl): so when start talking doing oauth in ietf, if we were going to start the conversation from scratch, it'll take foreverl so instead take oauth 1.0 as start and propose specific changes from there [21:14:17] isn't oauth 1.x off the table? I don't get his point [21:14:44] <=JeffH> wrap has new arch, but for most of that spec, it has new ways of getting token [21:15:06] <=JeffH> oauth 1.0a it has certain sig mech with specific properties, its not fundamentally broken [21:15:17] <=JeffH> so EHL wants to get answers to... [21:16:00] <=JeffH> 1) am main editor, am not sure what folks want to start with; survey more or less resulted in wanting a single draft that mixes stuff together [21:16:18] <=JeffH> have to pick one of them to really move forward [21:16:41] Patrik Wallström leaves the room [21:16:46] Patrik Wallström joins the room [21:16:50] <=JeffH> 2) signatures [21:16:57] <=JeffH> been talking about this for long time [21:17:50] <=JeffH> use cases for sigs are in two cases; token may be longer lived, may not want to use ssl for all interactions [21:18:05] <=JeffH> bearer token addresses various use cases [21:18:44] <=JeffH> so, lets stick w/existing charter, and that secure comms w/o TLS is needed [21:18:49] existing charter is not for 2.0 or am I wrong? [21:18:57] <=JeffH> can do certain things to make easier [21:20:24] <=JeffH> lucy lynch (ll): think that ehl's quiestions and SC's comment are crux -- here you can have simple, fast, sophisticated [21:20:37] <=JeffH> u shud ack that you'll have to get to sophisticated [21:21:06] <=JeffH> group is going to have to be committed to getting to sophisticated at end of day because "simple" isn't going to hold up (for longer term) [21:21:28] this is the first time this wg has met and it has deviated from its charter in the meantime [21:21:39] so I'm not surprised there's not that much to show yet [21:22:03] <=JeffH> ehl: this has already taken a long time; but folks who have showed up want the stuff we' [21:22:07] <=JeffH> ve been discussing [21:22:27] <=JeffH> but folks who object haven't provided actual specs/writeups [21:23:31] <=JeffH> psa: concalls lead in that direction [21:23:31] <=JeffH> is your sense ehl that what david hs doesn't have the combo of features of what you want? [21:24:04] <=JeffH> brian eaton: wrt more sophisticated use cases -- the ws-* comm spent a lot of time for sophs but almost no custs [21:24:33] <=JeffH> scenario here is mutually-distrusting parties -- give them recommended patterns then make them easy [21:24:42] <=JeffH> EM: observation then proposal [21:25:06] eliot.lear joins the room [21:25:21] <=JeffH> comments on re-invent wheel: competition is not krb really, it's username/pswd being spread around internet [21:25:31] <=JeffH> adoption is important [21:25:50] Patrik Wallström leaves the room [21:25:51] eliot.lear leaves the room [21:25:53] <=JeffH> another observation: work is bursty [21:25:55] Patrik Wallström joins the room [21:26:31] <=JeffH> so folks have oauth 1 to use to focus on and figure out what the sweet spot is [21:27:05] <=JeffH> propose start with DRs draft and get going on it [21:27:22] <=JeffH> psa: have to get the i-d issuesd and then have discussion on list [21:27:53] <=JeffH> would love to get feedback from folks on this approach [21:28:11] Alan DeKok joins the room [21:28:39] http://github.com/daveman692/OAuth-2.0 [21:28:55] then also posted on the mailing list (though not yet reflecting input from the weekend) [21:29:18] http://github.com/daveman692/OAuth-2.0 [21:29:27] <=JeffH> DR: do folks generally thing draft worth being submitted ? [21:29:27] oh well it's already posted :) [21:29:42] <=JeffH> jim fenton (jf): what does interop mean in this context? [21:29:47] ray_atarashi joins the room [21:29:48] and I'm happy to accept contributions! Already had some from a variety of people [21:29:56] <=JeffH> what is seen as the value of getting ietf to act on this? [21:30:11] <=JeffH> ietf is about getting interop and the sec bits are right [21:30:24] <=JeffH> and the latter will make it not as pleasant to impl [21:30:33] <=JeffH> do oauth folks realize this? [21:31:23] <=JeffH> dick hardt (dh): early objectives was all thiese dvlprs were protecting resources -- need to stdz token flows, but didn't need to stdz the token itself [21:31:33] <=JeffH> in clould scenarios, do need to stdz token [21:32:06] <=JeffH> hannes: differences btwen various parties [21:32:33] <=JeffH> dh: orig oauth the protect obj and the access manager were closesly related [21:32:52] <=JeffH> now have case wehre authz svr and prot resource are separated [21:33:11] <=JeffH> rob sayer: looked at DR's draft -- this still looks complex [21:33:12] who's talking? [21:33:17] ah, ok [21:33:18] <=JeffH> rob sayer [21:33:27] <=JeffH> various issues in spec [21:33:38] <=JeffH> will send bug reports to list [21:34:02] <=JeffH> henry from JPL: do we want to promulgate an authn std that isn't secure? [21:34:12] Patrik Wallström leaves the room [21:34:17] Patrik Wallström joins the room [21:34:44] <=JeffH> and wrt all effort gone into oauth, what if we took all those manhours and had rather improved browser impls, would we be better off [21:35:01] <=JeffH> eliot lear: market decided, not going to do that [21:35:13] <=JeffH> absent that -- this looks loke a good start [21:35:51] <=JeffH> a lot of aouith folk taking off after today -- unfortunate because we could have bar bof later on in week to make progress [21:37:06] <=JeffH> hannes: am having a room slot right after this session -- can try to go thru doc editing discussion then [21:38:18] <=JeffH> psa: so ietf value-add is to get cross-area review and such -- can leverage that [21:38:43] eliot.lear joins the room [21:39:29] <=JeffH> hannes: thinking of having a f2f interim in april in order to make some progress [21:39:46] <=JeffH> dh: iiw in may? [21:40:05] http://www.internetidentityworkshop.com/ [21:40:25] that is May 17-19 at the Computer History Museum [21:41:13] Alan DeKok leaves the room [21:41:13] Lisa leaves the room [21:41:28] <=JeffH> dh: why is group here @ietf? value is to get peer-review [21:41:37] <=JeffH> we need more explicit feedback [21:41:37] eliot.lear leaves the room [21:41:48] Patrik Wallström leaves the room [21:41:53] Patrik Wallström joins the room [21:42:22] Getting those kinds of input is one of the benefits of the f2f meetings [21:42:50] <=JeffH> ekr: have to be realistic about what folks are willing to do [21:43:21] <=JeffH> if the thing with oauth is the crypto is too hard on client, and no one is going to do, then sure, just kill it [21:44:29] martin.thomson leaves the room [21:44:38] <=JeffH> derek atkins: agree with ekr [21:45:29] cw-ietf leaves the room [21:45:33] <=JeffH> hannes: leif -- can u give channel bindings overview? [21:45:49] Alan DeKok joins the room [21:46:21] RFC 5056? [21:46:32] <=JeffH> leif johansson: http://tools.ietf.org/search/rfc5056 [21:46:37] <=JeffH> On the Use of Channel Bindings to Secure Channels [21:46:48] <=JeffH> ie "layer violations for fun & profit" [21:46:49] Karen O'Donoghue leaves the room [21:47:06] <=JeffH> do a crypto binding of sec contexts vertically up & down the "stack" [21:47:23] Patrik Wallström leaves the room [21:47:29] <=JeffH> thus recipient can verify that the stack is configed as expected [21:48:12] <=JeffH> msft pub'd a n info RFC describes how they use channel bind to protect digest authn [21:49:44] <=JeffH> Channel binding for HTTP Digest Authentication [21:49:49] <=JeffH> draft-santesson-digestbind-01.txt [21:49:55] <=JeffH> read that too [21:50:01] <=JeffH> Leif sez [21:50:13] ray_atarashi leaves the room [21:50:18] Lisa joins the room [21:50:34] <=JeffH> henry hotz (jpl d00d) [21:50:57] <=JeffH> channel bind is a way to verify that there is no MITM on the stack [21:52:00] <=JeffH> msft did upgrade to nego that added channel bind [21:52:23] davem leaves the room: offline [21:52:35] <=JeffH> brain eaton: in deployemnts don't havve a tunnel btwn parties [21:52:54] <=JeffH> short-lived capabilities are easier and more approrpriate [21:53:12] <=JeffH> room for further discussion right now is Carmel [21:53:41] lynch leaves the room [21:54:13] <=JeffH> dh: wrt ekr's comment, there's diff use cases, so found folks using it in varying fashions, so probably want to have the msg sec thing in there, think it will get used [21:54:19] <=JeffH> by some folks [21:55:18] richard.barnes leaves the room [21:55:19] richard.barnes joins the room [21:55:29] <=JeffH> joseph smarr: are oauth sigs soph enough for folks who reeally want that sort of sec? [21:55:33] David Recordon leaves the room [21:55:46] <=JeffH> psa: that's connected to channel binding discussion I think [21:55:54] davem joins the room [21:55:58] buckeyeskeeve leaves the room [21:56:24] davem leaves the room: offline [21:57:48] <=JeffH> em: we're interested in sugs -- discussion is about security sophistication [21:58:16] <=JeffH> ekr: easy attacks if you din't figger this stuff out correctly [21:58:28] fenton leaves the room [21:58:40] tlyu leaves the room [21:58:47] zhipeng joins the room [21:58:50] Blaine Cook leaves the room [21:58:51] markus.isomaki leaves the room [21:58:53] <=JeffH> scott cantor: earlier claim that it is easy to check svr certs as to their ident-- I beg to differ [21:59:00] eburger leaves the room [21:59:00] <=JeffH> **** mtg adjorned (**** [21:59:13] Lisa leaves the room [21:59:18] zhipeng leaves the room: Computer went to sleep [21:59:33] =JeffH leaves the room: Logged out [21:59:41] richard.barnes leaves the room [22:00:22] sm leaves the room [22:00:23] Eran Hammer-Lahav leaves the room [22:02:13] stpeter leaves the room: Computer went to sleep [22:06:35] stpeter joins the room [22:09:12] Alan DeKok leaves the room [22:11:49] Karen O'Donoghue joins the room [22:12:03] Dave Thaler leaves the room [22:16:49] stpeter leaves the room: Disconnected: Replaced by new connection [22:18:43] Melinda leaves the room [22:25:04] Lisa joins the room [22:27:03] richard.barnes joins the room [22:50:12] Lisa leaves the room [22:51:13] sftcd leaves the room [22:58:00] sftcd joins the room [23:00:52] sftcd leaves the room [23:01:07] richard.barnes leaves the room [23:01:41] richard.barnes joins the room [23:01:55] Karen O'Donoghue leaves the room [23:06:03] richard.barnes leaves the room [23:20:33] Karen O'Donoghue joins the room [23:41:30] Karen O'Donoghue leaves the room