[15:49:46] stpeter joins the room
[15:55:49] richard.barnes joins the room
[15:56:00] <richard.barnes> stpeter, are you there?
[15:57:32] <stpeter> I am
[16:00:18] <richard.barnes> nm, addressed out-of-band
[16:00:32] <stpeter> :)
[16:02:14] <richard.barnes> are you in CA for the meeting?
[16:02:45] <richard.barnes> (someone really should deconflict the USPS state code and ISO 3166 country code lists...)
[16:02:58] <stpeter> yes I am
[16:03:05] <stpeter> plus I'm on the IESG telechat :)
[16:03:41] <richard.barnes> fun!
[16:25:23] fenton joins the room
[16:27:04] <stpeter> agenda...
[16:27:33] dick.hardt joins the room
[16:27:34] <stpeter> we're going to run through the spec and list the open issues, then prioritize the issues, then delve into detailed discussion
[16:27:44] <stpeter> after that, we'll have a presentation or two and other topics
[16:27:47] <stpeter> or so it seems :)
[16:28:49] <stpeter> Hannes is describing the process for reviewing and advancing the spec in the IETF
[16:32:20] <stpeter> moving on to a discussion about scnenarios by Zachary Zeltsan
[16:33:10] <stpeter> I think the slides are not available, are they?
[16:34:03] <stpeter> use case template would include:
[16:34:11] <stpeter> (1) description
[16:34:23] <stpeter> (2) preconditions / assumptions
[16:35:47] <stpeter> [ Zachary lists a number of questions that need to be addressed when defining the preconditions]
[16:35:47] <fenton> (slides are on the webex session; will be uploaded somewhere afterwards, I expect)
[16:35:59] <stpeter> (3) Involved entities
[16:36:11] <stpeter> next slide
[16:36:15] Eve Maler joins the room
[16:36:25] <stpeter> a pretty picture that provides an overview of the use cases discussed to date
[16:38:40] <stpeter> most use cases are within OAuth 2.0 but some are not
[16:39:52] <stpeter> use cases not covered so far are: recursive delegation, SIP auth, access token exchange, and signature-with-asymmetric-secret
[16:41:37] <stpeter> Hannes: are some flows more experimental than others?
[16:49:46] <stpeter> chairs have been re-arranged
[16:50:08] <stpeter> Brian Eaton: maybe some things are really experimental, like device flow
[16:51:07] <Eve Maler> so there are several axes: implementation (done/planned/not planning to), deployment (done/planned/not planning to), novelty (codifies current practice/has novel elements/is totally new)
[16:55:15] <stpeter> listing out implementations of the different flow types
[16:55:30] <stpeter> quite a few of user agent and web server
[16:55:46] <stpeter> some implementations of the others
[16:56:05] tatsuki joins the room
[16:56:45] David Recordon joins the room
[16:57:48] <stpeter> talking about assertion flow -- more a family of flows than a single flow
[16:59:18] <stpeter> eran: perhaps put all assertion stuff in another spec, or put the assertion "template" in core and then define instances in other specs
[17:03:00] Eve Maler leaves the room
[17:06:27] <fenton> stpeter has left the (physical) room
[17:06:45] Zash joins the room
[17:06:55] Zash leaves the room: offline
[17:06:55] <fenton> eve:  UMA has cases where resource and authorization servers are separate
[17:07:02] Zash joins the room
[17:09:58] <fenton> straw poll:  leaving assertion stuff (?) in the spec seems to be preferred
[17:10:53] <stpeter> (sorry, I had to step out for the IESG telechat)
[17:11:25] <fenton> I'll try to scribe a bit but not sure I'll be very good at it.  Others feel free to jump in
[17:14:28] <fenton> eve:  Authentication methods are over-determined in the flows
[17:14:49] <fenton> need to consider authentication that considers out of band methods
[17:16:19] <fenton> zachary asked to post his draft with flows, etc. to the list
[17:16:30] <fenton> s/flows/scenarios/
[17:17:48] <fenton> Blaine asks people with laptops to stay engaged
[17:18:01] David Recordon leaves the room
[17:18:53] David Recordon joins the room
[17:21:11] <fenton> (pausing while loading the next presentation)
[17:25:09] <fenton> brian eaton speaking, "Signing in OAuth 2"
[17:26:39] <fenton> Not much crypto implementation yet
[17:27:20] <fenton> Some people CPU-bound, don't want to use https
[17:28:06] <fenton> wants to just use JSON for all of it
[17:29:10] <fenton> web server need to guess "what was the client thinking when they signed this message"
[17:30:33] <stpeter> Brian: should have the exact same crypto library for OAuth 2.0 and OpenID vnext
[17:30:54] <fenton> Expect use of OAuth over XMPP and IMAP; also OAuth SASL work
[17:31:19] <stpeter> need to remove binding between crypto and HTTP
[17:31:26] <fenton> Consider needs to upgrade the crypto algorithms, etc. over time
[17:31:56] <stpeter> hash agility FTW :)
[17:33:07] <fenton> Brian:  two-legged OAuth intro
[17:33:22] <stpeter> ok so that is one issue: crypto approach
[17:33:36] <stpeter> now moving to another open issue: 2-legged OAuth
[17:34:17] <stpeter> 2-legged = powerful role account
[17:35:59] <stpeter> possible solution: public key
[17:36:07] <fenton> issue of use of public key for client authentication vs. token authentication
[17:38:31] <stpeter> client_id = https URI where public key is located
[17:38:40] <stpeter> (http URI)
[17:38:52] <richard.barnes> public key or cert?
[17:39:05] <richard.barnes> if the former, in what format?
[17:39:35] <stpeter> richard.barnes: are you on the webex?
[17:42:03] <stpeter> richard.barnes: that's what we're discussing right now
[17:42:49] <richard.barnes> no, only barely tuned in
[17:43:04] <richard.barnes> my  $0.02: just use X.509, self-signed if you need it to be
[17:43:33] <stpeter> richard.barnes: that's where we seem to be headed
[17:56:40] <stpeter> Eve says perhaps just use magic signatures http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html
[17:57:14] <richard.barnes> magic sigs for key transport?
[17:57:21] <stpeter> no
[17:57:34] <stpeter> instead of signature base strings
[17:57:58] <richard.barnes> well, the tough thing is normalization anyway, magicsig doesn't help with that
[17:58:25] <stpeter> right, Eran is talking about normalization right now :)
[17:58:38] <richard.barnes> man, i am just freakin psychic today
[17:58:45] <stpeter> only today?
[17:58:48] <David Recordon> so that the request could be http://server.com/foo/bar?a=1&b=2 while the client included the URL of http://sever.com/foo/bar?b=2&a=1 in the signature
[17:58:50] <richard.barnes> comes and goes
[17:58:53] <richard.barnes> unpredictably :)
[17:58:54] <David Recordon> so the server still needs to normalize and compare
[17:59:07] dick.hardt leaves the room
[18:00:11] Eve Maler joins the room
[18:06:55] fenton leaves the room: Replaced by new connection.
[18:06:55] fenton joins the room
[18:09:19] Christian Scholz joins the room
[18:10:04] <Christian Scholz> oh, there are people here :) Is it still ongoing? Anything to see remotely?
[18:12:36] Christian Scholz leaves the room
[18:20:41] <fenton> Blaine is listing issues on the whiteboard
[18:20:48] <stpeter> oops
[18:20:49] <fenton> Unfortunately not a networked whiteboard
[18:21:19] <richard.barnes> just general open issues for oauth?
[18:22:40] Zash leaves the room: offline
[18:24:13] <fenton> They're going linearly through the -05 draft and making a list of open issues
[18:24:51] <Eve Maler> Since I just came back to the room and need to read the whiteboard somehow anyway, let me transcribe here what's up there...
[18:24:54] <Eve Maler> Intro:
[18:25:02] <Eve Maler> - Purposes/use cases should appear in intro
[18:25:22] <Eve Maler> - Describe role wrt OpenID and auth schemes ??
[18:25:53] <Eve Maler> - Requirements should be removd out of intro
[18:26:02] <Eve Maler> Intro should describe goals and possibilities of OAuth
[18:26:23] <Eve Maler> - REquirements is a limited set, but it should be clarified that they're not the *only* reqs
[18:26:29] <Eve Maler> Terminology:
[18:26:48] <Eve Maler> - We don't say what client secret is
[18:26:54] <Eve Maler> - Describe relationships between terms
[18:27:02] <Eve Maler> - Cryptographic terms ??
[18:27:07] <Eve Maler> - Verification code
[18:27:16] <Eve Maler> - Cliented defined as HTTP, not the case
[18:27:22] <Eve Maler> s/Cliented/Client/
[18:27:26] <Eve Maler> Overview:
[18:27:39] <Eve Maler> - Should relate to Intro (confusing)
[18:27:54] <Eve Maler> - Standardization of tokens should be called out as defined elsewhere
[18:28:04] <Eve Maler> - Call out the face that separation of resource and authz serviers is not in scope
[18:28:15] <Eve Maler> - Intro talks about three flows. We have 6, maybe 7 or 8
[18:30:28] <richard.barnes> aside: why do we have so many flows?  (caveat: have not looked at document lately)
[18:30:31] <Eve Maler> (Terminology: Call that bearer tokens are access tokens and cover cryptographic variant)
[18:31:09] <Eve Maler> Richard, I'd say each has different constraints and user interaction styles around authentication/consent
[18:31:25] <Eve Maler> continuing with transcription...
[18:31:28] <Eve Maler> Examples:
[18:31:31] <Eve Maler> - Scope?
[18:31:43] <Eve Maler> - Best one?
[18:32:20] <richard.barnes> eve: might be helpful if there were some taxonomy, like a table to show how constraints/capabilities => flows
[18:32:20] <Eve Maler> Conformance:
[18:32:40] <Eve Maler> - Useful?
[18:32:40] <richard.barnes> gotta go, thanks to folks for facilitating jabber session!
[18:32:45] richard.barnes leaves the room
[18:33:33] <Eve Maler> (should I bother continuing transcription? not a lot of people left in here)
[18:33:40] <Eve Maler> (I'll stop)
[18:35:02] Eve Maler leaves the room
[19:11:49] David Recordon leaves the room
[19:12:43] dick.hardt joins the room
[19:17:29] David Recordon joins the room
[19:50:30] fenton leaves the room: Replaced by new connection.
[19:50:31] fenton joins the room
[20:11:45] David Recordon leaves the room
[20:13:50] David Recordon joins the room
[20:39:46] David Recordon leaves the room
[20:41:57] David Recordon joins the room
[21:22:17] fenton leaves the room: Disconnected.
[21:36:23] <stpeter> wow we've really ignored the room here -- sorry about that
[21:59:12] fenton joins the room
[21:59:23] fenton leaves the room: Disconnected.
[22:03:36] fenton joins the room
[23:01:12] dick.hardt leaves the room
[23:17:50] fenton leaves the room
[23:24:21] tatsuki leaves the room: Computer went to sleep
[23:26:54] David Recordon leaves the room