IETF
oauth@jabber.ietf.org
Tuesday, July 18, 2017< ^ >
rsalz has set the subject to: OAUTH at IETF98 https://datatracker.ietf.org/meeting/98/session/oauth
Room Configuration
Room Occupants

GMT+0
[11:17:51] Meetecho joins the room
[11:26:41] Rifaat Shekh-Yusef joins the room
[11:27:13] Dave Tonge joins the room
[11:28:00] Roland Hedberg joins the room
[11:28:50] Justin Richer joins the room
[11:29:09] Mike Jenkins joins the room
[11:29:37] Sean Leonard joins the room
[11:30:49] Rifaat Shekh-Yusef leaves the room
[11:30:58] Rifaat Shekh-Yusef joins the room
[11:31:29] Bjorn Hjelm joins the room
[11:31:34] cw-ietf joins the room
[11:31:36] <Mike Jenkins> Good afternoon. If you'd like a comment read at the mic, please preface it with "mic:"
[11:31:44] <Meetecho> Can anyody tell the chair his mic is off?
[11:31:53] <Meetecho> We can't hear them remotely
[11:32:09] <Meetecho> Thx!
[11:32:15] <Mike Jenkins> no prob
[11:34:25] Stephen Checkoway joins the room
[11:36:28] yuki goto joins the room
[11:38:16] Hannes Raddatz joins the room
[11:43:37] <Sean Leonard> the camera is aimed at the ceiling
[11:43:42] <Justin Richer> @meetecho camera at the ceiling
[11:44:03] <Meetecho> Justin Richer: yep, working on that, sorry...
[11:44:59] <Justin Richer> @meetecho that's better, thanks!
[11:45:14] <Meetecho> We'll try to stick to the ground level, this time :)
[11:49:26] Jeffrey Yasskin joins the room
[11:50:56] <Sean Leonard> Mic: I read the draft. Good work. I would like to see more algorithm agility for the confirmation method, i.e., more than just SHA-256. Hardcoding any algorithm is not safe because once it is cryptanalyzed, implementations will be hard-pressed to move off of it. Also, how can the certificate be transmitted with the token if a relying party wants the entire certificate?
[11:51:25] <Justin Richer> :raises hand:
[11:51:29] <Sean Leonard> :raises hand:
[11:52:44] <Mike Jenkins> Let me know if the answer is sufficient or you want follow up @sean
[11:53:02] <Sean Leonard> Mic: ok. yeah another hash algorithm/claim name can be defined. But an example would be good, as well as text in the draft that says just what you said (define a new confirmation method, etc.)
[11:53:41] <Mike Jenkins> waiting
[11:54:14] Hans Zandbelt joins the room
[11:54:30] <Sean Leonard> Mic: yeah i wanted to see how it interacts with the JWT spec, jose spec, etc. (like will one upstream registration be sufficient, or you have to do one specifically for mutual tls oauth)
[11:54:31] <Justin Richer> mic: if the "cnf" is registered with all the semantics of JWT for its sub-bits then it should flow through to introspection, right?
[11:56:38] <Justin Richer> That answer covers it for me, thank you.
[11:56:51] <Sean Leonard> mic: I still would like to see some way to get the certificate that is submitted via mutual TLS out to relying parties. It doesn't have to be in "cnf", but I think some method of retrieval would be helpful. (and if it's not in the token, then it has to be stored and referenced, which has downsides)
[11:57:20] <Sean Leonard> mic: oh ok, if it's available to all, would like to see text that describes the availability
[11:58:22] <Mike Jenkins> active line, sorry for the delay
[11:58:55] <Mike Jenkins> @sean do you still want that read?
[11:59:10] <Sean Leonard> mainly the second part
[11:59:18] <Sean Leonard> REVISED mic:
[12:00:15] <Sean Leonard> some method of retrieval would be helpful. (and if it's not in the token, then it has to be stored and referenced, which has downsides). if it's available to all, would like to see text that describes how (or at least, the fact that) all parties have access to the certificate itself
[12:02:09] <Sean Leonard> second mic: i disagree with hashing the SPKI. The relevant security token is the certificate, not the public key. The public key can be extracted from the certificate; not the other way. This also assumes that the cert is available to all parties. (I agree with John Bradley just now.)
[12:02:29] Renzo Navas joins the room
[12:03:21] <Sean Leonard> haha, you know what i mean :)
[12:06:20] <Justin Richer> mic: I have a client who's implementing this in the near future so we'll be reading this in depth
[12:08:05] Lars Wegmann joins the room
[12:11:22] Philip Lafrance joins the room
[12:12:15] Bjorn Hjelm leaves the room
[12:15:11] <Justin Richer> Hi, John
[12:15:16] <Justin Richer> (no you don't have to put that to the mic)
[12:15:29] <Mike Jenkins> thx :)
[12:36:20] <Mike Jenkins> :gauntlet thrown:
[12:36:59] <Justin Richer> mic: I agree with Brian that HTTP signing is limited to places where it makes sense -- HTTP isn't simple to deal with. It was never meant to be universal, just useful.
[12:37:44] <Justin Richer> I also agree that mTLS is a huge pain in the ass and we won't see it everywhere either. Why not both?
[12:39:21] netwerkeddude@gmail.com joins the room
[12:40:18] Sean Leonard leaves the room
[12:42:51] Peter DeVries joins the room
[12:43:16] ekr joins the room
[12:43:46] <ekr> For my information: mTLS == mutual TLS?
[12:44:06] <Jeffrey Yasskin> ekr: Yes, draft-ietf-oauth-mtls
[12:50:50] pgrassi joins the room
[12:59:31] Jeffrey Yasskin leaves the room
[13:01:00] Jeffrey Yasskin joins the room
[13:01:25] Hannes Raddatz leaves the room
[13:04:14] <Dave Tonge> mic: should a hint not be sent in the authorisation request that the client is going to apply incremental auth - this will allow the AS to customise the consent screen. I agree with not sending a token in the authorisation request, but maybe a flag should be sent.
[13:04:24] <ekr> do we have a jabber scribe?
[13:04:34] <ekr> (I am at the mic and can do it if someone wants)
[13:05:21] <Mike Jenkins> @dave youre fifth in line
[13:05:38] <Dave Tonge> thanks
[13:08:14] Arne Wall joins the room
[13:10:10] Stefan Santesson joins the room
[13:10:40] <Justin Richer> :raises hand:
[13:10:51] <Dave Tonge> :raises hand:
[13:11:54] <Mike Jenkins> I indicated the raised hands but follow up on email or something.... :)
[13:17:34] patrick hu joins the room
[13:18:52] Stephen Hutchinson joins the room
[13:21:51] <Dave Tonge> :raises hand:
[13:23:50] patrick hu leaves the room
[13:26:29] netwerkeddude@gmail.com leaves the room
[13:28:20] Dave Tonge leaves the room
[13:29:45] <ekr> The other paper I was referencing was:
[13:29:45] <ekr> http://www.cs.unc.edu/~fabian/papers/foniks-oak11.pdf
[13:31:59] Jeffrey Yasskin leaves the room
[13:32:07] <Mike Jenkins> we're done
[13:32:17] ekr leaves the room
[13:32:46] Meetecho leaves the room
[13:33:03] yuki goto leaves the room
[13:33:03] Rifaat Shekh-Yusef leaves the room
[13:33:03] Philip Lafrance leaves the room
[13:33:03] Peter DeVries leaves the room
[13:33:03] Hans Zandbelt leaves the room
[13:33:03] Stephen Hutchinson leaves the room
[13:33:03] Arne Wall leaves the room
[13:33:03] Renzo Navas leaves the room
[13:33:03] Justin Richer leaves the room
[13:33:04] Roland Hedberg leaves the room
[13:33:28] Lars Wegmann leaves the room
[13:34:18] pgrassi leaves the room
[13:37:58] Stefan Santesson leaves the room: Disconnected: closed
[13:39:05] ekr joins the room
[13:39:20] ekr leaves the room
[13:45:35] Mike Jenkins leaves the room
[13:47:12] Stefan Santesson joins the room
[13:47:15] Jeffrey Yasskin joins the room
[13:51:09] Lars Wegmann joins the room
[13:51:15] metricamerica joins the room
[13:51:54] Lars Wegmann leaves the room
[13:51:57] cw-ietf leaves the room
[13:52:42] Lars Wegmann joins the room
[13:54:08] Lars Wegmann leaves the room
[13:55:33] Stephen Checkoway leaves the room
[13:58:26] metricamerica leaves the room
[13:58:52] netwerkeddude@gmail.com joins the room
[14:03:31] netwerkeddude@gmail.com leaves the room
[14:05:19] ekr joins the room
[14:12:40] ekr leaves the room
[14:14:11] Lars Wegmann joins the room
[14:14:22] Lars Wegmann leaves the room
[14:27:14] Jeffrey Yasskin leaves the room
[14:27:19] ekr joins the room
[14:29:49] Jeffrey Yasskin joins the room
[14:40:07] Lars Wegmann joins the room
[14:40:30] Lars Wegmann leaves the room
[14:41:58] Jeffrey Yasskin leaves the room
[14:50:59] ekr leaves the room
[14:57:03] Stefan Santesson leaves the room: Disconnected: closed
[14:59:39] ekr joins the room
[15:00:14] ekr leaves the room
[15:03:35] ekr joins the room
[15:39:00] ekr leaves the room
[15:41:17] ekr joins the room
[15:46:48] ekr leaves the room
[15:58:29] ekr joins the room
[16:07:47] ekr leaves the room
[16:12:45] ekr joins the room
[16:13:45] ekr leaves the room
[17:01:01] ekr joins the room
[17:23:15] ekr leaves the room
[19:50:26] ekr joins the room
[20:00:31] ekr leaves the room
[20:27:31] Stefan Santesson joins the room
[21:17:49] Stefan Santesson leaves the room: Disconnected: closed
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!