Folks, We had a side-bar meeting at the IETF117 last week in San Francisco, regarding the possible use of OpenID-Connect/OAuth2.0 as a mechanism to deliver RATS-based device-attestation.
The meeting was attended by about 15 people, mostly from the Identity community (folks who regularly attend OAuth2.0, OIF and IWW). From the start of the discussion, it was clear that there was some terminology mismatch between the various folks & communities. For example, in the OAuth2.0 language the word "Client" is typically used to mean the service which is being driven by the user (e.g., to authorize access to a Resource Server (RS), which is typically also a RESTful web-based service). However, in RATS and TCG language, the "Client" often means the hardware device (in the possession of a user) which will generate evidence regarding the composition (hardware, firmware, software) of the device. Some folks also mentioned interesting use-cases that the RATS community perhaps have not previously considered. For example, prior to connecting to the RS it is possible that the OAuth2.0 Client (e.g., hosted by a provider) may seek device-attestations from RS machine itself (and vice versa). All in all, we believe that a productive next step would be a discussion on the RATS mail-list regarding common Terminology, something that is meaningful to the RATS community as well as the broader IETF community. There are 3 I-Ds that are in early stages that seem to be describing aspects of a comprehensive approach to attestation for identity infrastructures: https://datatracker.ietf.org/doc/draft-looker-oauth-attestation-based-client-auth/, https://datatracker.ietf.org/doc/draft-tschofenig-oauth-attested-dclient-reg/, https://datatracker.ietf.org/doc/draft-sh-rats-oidcatt/ Referring to these drafts for context (and possible disagreement) may help with the conversation. I’m cross posting to several working groups, but the discussion thread will be exclusive to the RATS WG (r...@ietf.org). Best Ned & Thomas
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
