OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

Slides:

Advertisements

Similar presentations

Advertisements

Transport Layer Security (TLS) IETF-76 Chairs Joe Salowey Eric Rescorla

STRAW IETF#91, Honolulu, USA. Victor Pascual Christer Holmberg.

Deterministic Networking (DetNet) BoF IETF 91 Monday Afternoon Session II, Coral 1.

L2VPN WG “NVO3” Meeting IETF 82 Taipei, Taiwan. Agenda Administrivia Framing Today’s Discussions (5 minutes) Cloud Networking: Framework and VPN Applicability.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

PPSP Working Group IETF-89 London, UK 16:10-18:40, Tuesday, Webex: participation.html.

CCAMP Working Group Online Agenda and Slides at: Tools start page:

DRINKS Interim („77.5“) Reston, VA Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF.

IETF 90: NetExt WG Meeting. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet- Draft.

L3VPN WG IETF 78 09/11/ :00-15:00 Chairs: Marshall Eubanks Danny McPherson Ben Niven-Jenkins.

BLISS – IETF 71 Jason Fischl Shida Schubert

SIPCLF Working Group Spencer Dawkins Theo Zourzouvillys IETF 76 – November 2009 Hiroshima, Japan.

IETF #82 DRINKS WG Meeting Taipei, Taiwan Fri, Nov 18 th

Transport Layer Security (TLS) IETF-72, Dublin July 27, 2008 Chairs: Eric Rescorla Joseph Salowey.

EAP Method Update (EMU) IETF-79 Chairs Joe Salowey Alan DeKok.

Routing Area Open Meeting Hiroshima, November 2009 Area Directors Ross Callon Adrian Farrel.

1 NOTE WELL Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

IETF #81 DRINKS WG Meeting Québec City, QC, Canada Tue, July 26 th, 2011.

GROW IETF 78 Maastricht, Netherlands. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

Authority To Citizen Alerts IETF 81 Quebec. Note: Note Well the Note Well Any submission to the IETF intended by the Contributor for publication as all.

IETF 86 PIM wg meeting. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC.

IETF 79 - Beijing, China1 Martini Working Group IETF 79 Beijing Chairs: Bernard Spencer

EAP Method Update (EMU) IETF-80 Chairs: Joe Salowey Alan DeKok.

Extensible Messaging and Presence Protocol (XMPP) WG Interim Meeting, Monday, January 7,

IPPM WG IETF 79. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and.

Technical Plenary Agenda IETF 81 Quebec City, Quebec July 25, 2011 Presentations: Jabber room:

SIPREC WG, IETF# , GMT+2 John Elwell (WG co-chair) Brian Rosen (WG co-chair)

CCAMP Working Group Online Agenda and Slides at: Data tracker:

Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:

Web Authorization Protocol (oauth) Hannes Tschofenig.

IETF #86 - NETCONF WG session 1 NETCONF WG IETF 86 - Orlando, FL, USA MONDAY, March 11, Bert Wijnen Mehmet Ersue.

Transport Service (TAPS) Aaron Falk

IETF DRINKS Interim Meeting (#82.5) Virtual Interim Meeting Wed, Feb 1 st p-6p UTC/9a-1p Eastern.

BFD IETF 83. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

P2PSIP WG IETF 87 P2PSIP WG Agenda & Status Thursday, August 1 st, 2013 Brian Rosen, Carlos J. Bernardos.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

Transport Layer Security (TLS) Chairs: Eric Rescorla Joe Salowey.

Authentication and Authorization for Constrained Environment (ACE) WG Chairs: Kepeng Li, Hannes

IETF 89, LONDON, UK LISP Working Group. 2 Agenda and slides:  lisp.html Audio Stream 

IETF – NVO3 WG Virtual Interim Meeting Chairs: Secretary: Sam Aldrin Benson Schliesser Matthew Bocci.

DMM WG IETF 84 DMM WG Agenda & Status Tuesday, July 31 st, 2012 Jouni Korhonen, Julien Laganier.

LMAP WG IETF 92, Dallas, TX Dan Romascanu Jason Weil.

March 2008IETF KMART BoF1 KMART BOF Key Management for Routing Co-Chairs: Acee Lindem Donald Eastlake 3rd

Transport Layer Security (TLS) IETF-84 Chairs: Eric Rescorla Joe Salowey.

Interface to the Routing System (IRS) BOF IETF 85, Atlanta November 2012.

IPR WG IETF 62 Minneapolis. IPR WG: Administrivia Blue sheets Scribes Use the microphones Note Well.

IETF #81 - NETCONF WG session 1 NETCONF WG IETF 81, Quebec City, Canada MONDAY, July 25, Bert Wijnen Mehmet Ersue.

Transport Layer Security (TLS) IETF 73 Thursday, November Chairs: Eric Rescorla Joe Salowey.

Transport Layer Security (TLS) IETF-78 Chairs Joe Salowey Eric Rescorla

HIP WG Gonzalo Camarillo David Ward IETF 80, Prague, Czech Republic THURSDAY, March 31, 2011, Barcelona/Berlin.

OPSREA Open Meeting Area Directors: Dan Romascanu and Ron Bonica Monday, March 28, 2011 Morning Session, 10:30 – 11:30, Room Barcelona/Berlin Discussion.

Agenda Behcet Sarikaya Dirk von Hugo November 2012 FMC BOF IETF

IETF #82 - NETCONF WG session 1 NETCONF WG IETF 82, Taipei, Taiwan TUESDAY, November 15, Afternoon Session III Bert Wijnen Mehmet Ersue.

Agenda Stig Venaas Behcet Sarikaya November 2011 Multimob WG IETF

Alternatives to Content Classification for Operator Resource Deployment (ACCORD) BOF Chairs: Gonzalo Camarillo & Pete Resnick.

TSVAREA IETF84 - Vancouver. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

Audio/Video Transport Extensions (avtext) Working Group Keith Drage Magnus Westerlund Jabber room:

OPSAWG chairs: Scott Bradner Christopher Liljenstolpe.

STIR Secure Telephone Identity Revisited

Chairs: Derek Atkins and Hannes Tschofenig

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Agenda OAuth WG IETF 87 July, 2013.

MODERN Working Group IETF 97 November 14, 2016.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Thursday, 20th of July 2017.

Flexible Ethernet (Side meeting)

TEAS CCAMP MPLS PCE Working Groups

SIPBRANDY Chair Slides

Scott Bradner & Martin Thomson

Presentation transcript:

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: –The IETF plenary session –The IESG, or any member thereof on behalf of the IESG –Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices –Any IETF working group or portion thereof –The IAB or any member thereof on behalf of the IAB –The RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879).RFC 5378RFC 3979RFC 4879 Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice. Please consult RFC 5378 and RFC 3979 for details.RFC 5378RFC 3979 A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements. A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public.

Agenda Discuss security requirements and use cases in order to get a better understanding of the design space outlined in

Use Case #1: Load Balancer

Notes for Use Case 1 To prevent a load balancer from being used channel bindings can be deployed. The operator of the resource server may decide to “terminate” application security also at the load balancer.

Use Case #2: “Unprotected” Resource

Notes for Use Case 2 This use case only assumes that TLS is not used by the resource server. OAuth 2.0 requires TLS to be used with the authorization server. Hence, a TLS-incapable OAuth 2.0 client requires more changes.

Use Case #3: Prevent Access Token Re-Use

Notes for Use Case 3 Assumption: –RS cannot re-generate Authenticator. Alternative solutions: 1.AS puts intended recipient (RS1) into the access token. 2.AS encrypts token with key known to RS1 only.

Use Case #4: AS-to-RS Relationship Anonymity Idea: AS should not know with whom a resource owner is talking to. Implications: –No RS info made available to the AS by the client –RS does not interact with the AS (in the backend). –AS signs access token

Open Issue: Client Instance Client authentication allow authentication to the AS. –Same credentials may be re-use by a number of different client instances Suggestion was made to offer authentication of a client instance. By whom would this identification be used and for what purpose? What identifier could be used?

Open Issue: Key Lifetime & Context The client obtains keying material from the AS. Questions: –Does it change when a new access token is requested? –Is it valid only for a specific RS? –When an access token with a new scope is requested does the keying material change? –Who contributes to the keying material: client, AS, or both? –Is there an explicit lifetime associated?