IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
IETF 76 – November 8-14 – Hiroshima, Japan RMT LCT draft-rmt-pi-alc-revised-10 Mark Watson.
IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.
OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
DIME WG IETF 79 DIME WG Status & Other Stuff Thursday, November 11, 2010 Jouni Korhonen, Lionel Morand.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.
Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
ECRIT Virtual Interim Meeting 3rd June 2009, 1PM EDT (New York) Marc Linsner Hannes Tschofenig.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.
Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:
Web Authorization Protocol (oauth) Hannes Tschofenig.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Diameter Maintenance and Extensions (dime) IETF 68, March 2007, Prague David Frascone, Hannes Tschofenig.
OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.
Authentication and Authorization for Constrained Environment (ACE) WG Chairs: Kepeng Li, Hannes
Diameter SIP Application
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
RADEXT WG IETF 89 Agenda March 4, Please join the Jabber room:
DIME Virtual Interim Meeting 19th February, 8PM PST Dave Frascone Hannes Tschofenig.
Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.
SIP Working Group IETF Chairs -- Rohan MAHY Dean WILLIS.
OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
Phil Hunt, Hannes Tschofenig
draft-ietf-behave-nat-behavior-discovery-01
Chairs: Derek Atkins and Hannes Tschofenig
OAuth Assertion Documents
OAuth2 SCIM Client Registration & Software Statement Exchange
Authentication and Authorization for Constrained Environment (ACE)
Agenda OAuth WG IETF 87 July, 2013.
Working Group AD Area Director Evaluation Individual Assignment
IETF101 London Web Authorization Protocol (OAuth)
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Connect Working Group
IETF103 Bangkok Web Authorization Protocol (OAuth)
Web Authorization Protocol (oauth)
STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.
Web Authorization Protocol (oauth)
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
IETF102 Montreal Web Authorization Protocol (OAuth)
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
Diameter ABFAB Application
Scott Bradner & Martin Thomson
Authentication and Authorization for Constrained Environments (ACE)
Web Authorization Protocol (OAuth)
OpenID Enhanced Authentication Profile (EAP) Working Group
Presentation transcript:

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig

Documents in IESG Processing JWT (Mike) –

Documents in IESG Processing, cont. Assertions (Brian) – – –

Documents in IESG Processing, cont. Dynamic Client Registration (Justin) – –

IPR Disclosure on OAuth Late IPR disclosure from Nokia on RFC 6749: archive/web/oauth/current/msg13436.html archive/web/oauth/current/msg13436.html We asked you to evaluate the disclosure within your company and to give us feedback. No feedback received. No problem?

Milestone Check

OAuth & Authentication Problem: OAuth is used outside the originally intended usage. Attempts to use OAuth for Web SSO lead to security problems. Our approach: Make readers aware of the problems. Point them to OpenID Connect Draft write-up by Justin, see archive/web/oauth/current/msg13708.html Plan was to publish it on oauth.net

Proof-of-Possession Requirements/Use Cases/Threats/Architecture – – Status: 4/5 PoP Semantics for JWTs – – Status: 4/5 Authorization Server to Client Key Distribution – – Status: 3/5 (see open issue) Signing of HTTP Requests – – Status: 1/5 (currently strawman proposal) – Token Binding work might be relevant: – Potential to re-use deployed solutions, such as Slow progress; how do we speed up work?

Recently added WG Drafts Token Exchange (Mike) Token Introspection (Justin) Request by JWS ver.1.0 for OAuth 2.0 (Nat) SPOP (Nat)