Re: [OAUTH-WG] IETF117 - OAuth WG call for topics

[Michael Jones]

Aaron Parecki and I would like 15-20 minutes to discuss:
  OAuth 2.0 Protected Resource Metadata
  
https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html

Per my previous e-mail, we made the updates requested by the working group at 
IETF 116, combining the approaches in our two drafts.  We’re both happy with 
the result.

See you in San Francisco!

   -- Mike

From: OAuth  On Behalf Of Rifaat Shekh-Yusef
Sent: Wednesday, July 5, 2023 4:49 AM
To: oauth 
Subject: [OAUTH-WG] IETF117 - OAuth WG call for topics

All,

We have 3 official sessions in San Francisco!!!

  *   Wednesday 9:30-11:30
  *   Thursday, 13:00-15:00
  *   Friday 9:30-11:30

Please, let us know as soon as possible if you have topics that you would like 
to discuss.

Regards,
 Rifaat & Hannes
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate

[Michael Jones]

In collaboration with Aaron Parecki, the ability 
for OAuth 2.0 protected resource servers to return their resource identifiers 
via WWW-Authenticate has been added to the OAuth 2.0 Protected Resource 
Metadata specification. This enables clients to dynamically learn about and use 
protected resources they may have no prior knowledge of, including learning 
what authorization servers can be used with them.



This incorporates functionality originally incubated in 
draft-parecki-oauth-authorization-server-discovery-00.
 Aaron and I had been asked to merge the functionality of our two drafts during 
an OAuth working group session at IETF 116. We're both happy with the result!



The specification is available at:
*
https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html

   -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2377 and was 
referenced from https://twitter.com/selfissued/status/1677471513023508481.

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-09.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts
directories. This Internet-Draft is a work item of the Web Authorization
Protocol (OAUTH) WG of the IETF.

   Title   : The OAuth 2.1 Authorization Framework
   Authors : Dick Hardt
 Aaron Parecki
 Torsten Lodderstedt
   Filename: draft-ietf-oauth-v2-1-09.txt
   Pages   : 90
   Date: 2023-07-10

Abstract:
   The OAuth 2.1 authorization framework enables an application to
   obtain limited access to a protected resource, either on behalf of a
   resource owner by orchestrating an approval interaction between the
   resource owner and an authorization service, or by allowing the
   application to obtain access on its own behalf.  This specification
   replaces and obsoletes the OAuth 2.0 Authorization Framework
   described in RFC 6749 and the Bearer Token Usage in RFC 6750.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-09

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Request for Feedback on "SD-JWT VC" Draft Specification

[Oliver Terbu]

Dear all,

Thank you all for your feedback so far.

I would like to share an update on the SD-JWT VC draft that Daniel Fett and
I have been working on.

Here is the link to the updated IETF data tracker:
https://datatracker.ietf.org/doc/draft-terbu-oauth-sd-jwt-vc/

Please note that we had to make a change to the IETF data tracker name.

I am excited about the opportunity to present the draft specification in
person at IETF 117.

Thank you,
Oliver

On Thu, Jun 8, 2023 at 12:15 PM Rifaat Shekh-Yusef 
wrote:

> Thank you all for your feedback on this document.
>
> The chairs would like to make it clear that this is a call for feedback at
> this stage.
> This is *NOT* a call for adoption, because we think it is too early for
> that. We would like to see more feedback and discussion on the list and
> during the coming IETF meeting before considering adoption.
>
> Regards,
>  Rifaat & Hannes
>
>
> On Wed, Jun 7, 2023 at 10:02 PM Michael Jones 
> wrote:
>
>> Here’s some feedback based on a full read of the draft…
>>
>>
>>
>> You will eventually be asked to reference RFC 8174, like is done at
>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-conventions-and-terminology.
>> You might as well do it sooner than later.
>>
>>
>>
>> To follow the IETF draft naming conventions, you need to include the
>> intended working group name as the third component of the draft name.  So
>> for instance, this draft should probably be renamed to
>> draft-terbu-oauth-sd-jwt-vc or draft-terbu-jose-sd-jwt-vc.
>>
>>
>>
>> In
>> https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#section-4.2.2.2
>> (Registered JWT Claims), I’d specify that the “iss” value must be a URL
>> using the “https” scheme.  That way the .well-known/jwt-issuer metadata
>> will always be retrievable.
>>
>>
>>
>> In
>> https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#section-4.2.2.2
>> (Registered JWT Claims), why must the “sub” value be a URI?  Are we not
>> interested in use cases where the “sub” references, for example, an OAuth
>> client, where the Client ID value is a UUID (a string)?  StringOrURI seems
>> like a better choice.
>>
>>
>>
>> In
>> https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#section-5.1
>> (JWT Issuer Metadata Request), I question whether “If the iss value
>> contains a path component, any terminating / MUST be removed before
>> inserting /.well-known/ and the well-known URI suffix between the host
>> component and the path component.” is always the right choice.  Yes, I
>> know that that’s what it takes to conform to RFC 5785 and I wrote similar
>> text at https://www.rfc-editor.org/rfc/rfc8414#section-5 , but
>> practically, the permissions on servers may not be administered in a way
>> that allows tenants to write to this location.  (Yes, I plan to continue
>> the conversation with Mark Nottingham about allowing .well-known in
>> locations other than the root.)
>>
>>
>>
>> I especially like this section
>> https://www.ietf.org/archive/id/draft-terbu-sd-jwt-vc-02.html#name-jwt-issuer-metadata-4
>> (JWT Issuer Metadata)!
>>
>>
>>
>> Hope you find this review useful…
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* OAuth  *On Behalf Of * Oliver Terbu
>> *Sent:* Saturday, May 27, 2023 2:56 AM
>> *To:* oauth@ietf.org
>> *Subject:* [OAUTH-WG] Request for Feedback on "SD-JWT VC" Draft
>> Specification
>>
>>
>>
>> Dear all,
>>
>> I hope this email finds you well. I am writing to introduce "SD-JWT-based
>> Verifiable Credentials with JSON payloads” (SD-JWT VC):
>>
>> https://datatracker.ietf.org/doc/draft-terbu-sd-jwt-vc/
>>
>> This proposal builds upon the existing SD-JWT specification by the OAuth
>> WG and aims to address certain gaps and provide specific guidance for
>> utilizing SD-JWT in the context of Verifiable Credentials. For example,
>> while SD-JWT defines how to implement selective disclosure in JWTs (an
>> important building block in many Verifiable Credential use cases), it is
>> not opinionated about the specific JWT Claim Sets in the payload to
>> represent Verifiable Credentials and used with HB-JWT.
>>
>> As you may be aware, the SD-JWT specification has already been adopted by
>> the OAuth WG and has gained significant traction within the industry.
>> However, the SD-JWT specification does not provide explicit guidance on
>> using SD-JWT for Verifiable Credentials.
>>
>> The eIDAS 2.0 Architecture Reference Framework (ARF) has expressed a keen
>> interest in utilizing SD-JWT for Verifiable Credentials, and SD-JWT VC
>> became one of the two core credential formats of the European Digital
>> Wallet (EUDIW):
>>
>>
>> https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework
>>
>> Verifiable Credentials play a crucial role in enhancing digital trust and
>> enabling secure identity interactions in various domains. To ensure the
>> seamless integration of SD-JWT into the eIDAS ARF and similar initiatives,
>>

Re: [OAUTH-WG] New Version Notification for draft-identity-chaining-00.txt

[Pieter Kasselman]

Hi folks

Following on from discussions at previous IETF meetings (starting at IETF 114) 
on identity chaining , Arndt, Kelly, Mike and I prepared a proposal that would 
allow for identity chaining across trust domains to support fine-grained 
authorization scenarios.

It was uploaded it as an individual draft and you can view it here: 
https://datatracker.ietf.org/doc/draft-identity-chaining/ .

Comment and feedback is most welcome. You can also open issues or suggest 
changes here https://github.com/arndt-s/ietf-identity-chaining:

Rifaat, would it be possible to get time on the agenda at IETF 117 to discuss 
this proposal?

Cheers

Pieter


-Original Message-
From: internet-dra...@ietf.org 
Sent: Monday, July 10, 2023 4:26 PM
To: Arndt Schwenkschuster ; Kelley Burgin 
; Michael Jenkins ; Mike 
Jenkins ; Pieter Kasselman 
; Pieter Kasselman 

Subject: New Version Notification for draft-identity-chaining-00.txt


A new version of I-D, draft-identity-chaining-00.txt has been successfully 
submitted by Arndt Schwenkschuster and posted to the IETF repository.

Name:   draft-identity-chaining
Revision:   00
Title:  Identity Chaining across Trust Domains
Document date:  2023-07-10
Group:  Individual Submission
Pages:  17
URL:https://www.ietf.org/archive/id/draft-identity-chaining-00.txt
Status: https://datatracker.ietf.org/doc/draft-identity-chaining/
Html:   https://www.ietf.org/archive/id/draft-identity-chaining-00.html
Htmlized:   https://datatracker.ietf.org/doc/html/draft-identity-chaining


Abstract:
   This specification defines a mechanism to preserve identity and call
   chain information across trust domains that use the OAuth 2.0
   Framework.




The IETF Secretariat


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt

[Pieter Kasselman]

Hi folks, we updated the Cross-Device Flows: Security Best Current Practice 
based on feedback received after IETF 116.

Updates include:

- Introduced Cross-Device Consent Phishing as a label for the types of attacks 
described in this document.
- Updated labels for different types of flows (User-Transferred Session Data 
Pattern, Backchannel-Transferred Session Pattern, User-Transferred 
Authorization Data Pattern)
- Adopted consistent use of hyphenation in using "cross-device"
- Consistent use of "Authorization Device"
- Update Reference to Secure Signals Framework to reflect name change from 
Secure Signals and Events
- Described difference between proximity enforced and proximity-less 
cross-device flows
- Fixed typos and grammar edits
- Capitalised Initiating Device and Authorization Device
- General editorial pass

Rifaat, we would like to request a time on the agenda to discuss the pros/cons 
and any concerns that may arise from introducing normative requirements (see 
https://mailarchive.ietf.org/arch/msg/oauth/dhQQsJjHqMnmUdTaUsKyEQ3uuLw/ ), as 
well as outstanding open issues 
(https://github.com/oauth-wg/oauth-cross-device-security/issues) and propose 
proposed next steps for this draft.

Cheers

Pieter

-Original Message-
From: OAuth  On Behalf Of internet-dra...@ietf.org
Sent: Monday, July 10, 2023 10:20 AM
To: i-d-annou...@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories. 
This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG 
of the IETF.

   Title   : Cross-Device Flows: Security Best Current Practice
   Authors : Pieter Kasselman
 Daniel Fett
 Filip Skokan
   Filename: draft-ietf-oauth-cross-device-security-02.txt
   Pages   : 43
   Date: 2023-07-10

Abstract:
   This document describes threats against cross-device flows along with
   near term mitigations, protocol selection guidance and the analytical
   tools needed to evaluate the effectiveness of these mitigations.  It
   serves as a security guide to system designers, architects, product
   managers, security specialists, fraud analysts and engineers
   implementing cross-device flows.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-02.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-02

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts
directories. This Internet-Draft is a work item of the Web Authorization
Protocol (OAUTH) WG of the IETF.

   Title   : Cross-Device Flows: Security Best Current Practice
   Authors : Pieter Kasselman
 Daniel Fett
 Filip Skokan
   Filename: draft-ietf-oauth-cross-device-security-02.txt
   Pages   : 43
   Date: 2023-07-10

Abstract:
   This document describes threats against cross-device flows along with
   near term mitigations, protocol selection guidance and the analytical
   tools needed to evaluate the effectiveness of these mitigations.  It
   serves as a security guide to system designers, architects, product
   managers, security specialists, fraud analysts and engineers
   implementing cross-device flows.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-02.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-02

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth