Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

[Hannes Tschofenig]

Yes, this matches my understanding of the discussions at the Seoul meeting.

On 03/04/2017 07:10 PM, Torsten Lodderstedt wrote:
> Hi Hannes,
> 
> just for clarification: as far as I remember the proposal in Seoul was to 
> turn the document into a BCP. 
> 
> Is this consistent with your expectation?
> 
> kind regards,
> Torsten.
> 
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig :
>>
>> Hi all,
>>
>> earlier this month we issued a call for adoption of the OAuth security
>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last f2f
>> meeting).
>>
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation for
>> the next meeting.
>>
>> Note that the intention of the document is to discuss security topics as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it (at
>> a specification level) in a separate document (some of those documents
>> already exist in the working group). This should help us make decisions
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>>
>> Ciao
>> Hannes & Derek
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

[John Bradley]

A BCP is still assigned a RFC number.  

The intent is to have BCP number as well.  

EG BCP195’s current instance is RFC 7525.

The intent is to have a BCP series but the process is largely the same as I 
understand it.

John B.


> On Mar 4, 2017, at 3:10 PM, Torsten Lodderstedt  
> wrote:
> 
> Hi Hannes,
> 
> just for clarification: as far as I remember the proposal in Seoul was to 
> turn the document into a BCP. 
> 
> Is this consistent with your expectation?
> 
> kind regards,
> Torsten.
> 
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig :
>> 
>> Hi all,
>> 
>> earlier this month we issued a call for adoption of the OAuth security
>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last f2f
>> meeting).
>> 
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation for
>> the next meeting.
>> 
>> Note that the intention of the document is to discuss security topics as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it (at
>> a specification level) in a separate document (some of those documents
>> already exist in the working group). This should help us make decisions
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

[Torsten Lodderstedt]

Hi Hannes,

just for clarification: as far as I remember the proposal in Seoul was to turn 
the document into a BCP. 

Is this consistent with your expectation?

kind regards,
Torsten.

> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig :
> 
> Hi all,
> 
> earlier this month we issued a call for adoption of the OAuth security
> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
> response was quite positive on the list (as well as during the last f2f
> meeting).
> 
> For this reason, we ask the authors to submit a WG version of the
> document and to discuss new content for the document in preparation for
> the next meeting.
> 
> Note that the intention of the document is to discuss security topics as
> they relate to the work in the OAuth working group. As this initial
> document already does, it describes a problem statement and outlines
> various ways to mitigate the problems. I expect the working group to
> decide which solution approach is most appropriate and to detail it (at
> a specification level) in a separate document (some of those documents
> already exist in the working group). This should help us make decisions
> that are not just point solutions for specific problems but rather
> consider the big picture.
> 
> Ciao
> Hannes & Derek
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

[Nat Sakimura]

Great!

On Mon, Feb 20, 2017 at 8:02 PM Hannes Tschofenig 
wrote:

> Hi all,
>
> earlier this month we issued a call for adoption of the OAuth security
> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
> response was quite positive on the list (as well as during the last f2f
> meeting).
>
> For this reason, we ask the authors to submit a WG version of the
> document and to discuss new content for the document in preparation for
> the next meeting.
>
> Note that the intention of the document is to discuss security topics as
> they relate to the work in the OAuth working group. As this initial
> document already does, it describes a problem statement and outlines
> various ways to mitigate the problems. I expect the working group to
> decide which solution approach is most appropriate and to detail it (at
> a specification level) in a separate document (some of those documents
> already exist in the working group). This should help us make decisions
> that are not just point solutions for specific problems but rather
> consider the big picture.
>
> Ciao
> Hannes & Derek
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

[Hannes Tschofenig]

Hi all,

earlier this month we issued a call for adoption of the OAuth security
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
response was quite positive on the list (as well as during the last f2f
meeting).

For this reason, we ask the authors to submit a WG version of the
document and to discuss new content for the document in preparation for
the next meeting.

Note that the intention of the document is to discuss security topics as
they relate to the work in the OAuth working group. As this initial
document already does, it describes a problem statement and outlines
various ways to mitigate the problems. I expect the working group to
decide which solution approach is most appropriate and to detail it (at
a specification level) in a separate document (some of those documents
already exist in the working group). This should help us make decisions
that are not just point solutions for specific problems but rather
consider the big picture.

Ciao
Hannes & Derek



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth