[OAUTH-WG] Review of draft-ietf-oauth-jwsreq-11

Reviewer: Joel Halpern Review result: Not Ready I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more

Re: [OAUTH-WG] OAuth for institutional users

Justin, Your are making the promotion of your book (OAuth 2 In Action), soon to be published. I browsed through the 23 pages of Chapter 1 that are provided as a free download. I saw the footnote from Manning Publications Co. which states: "/We welcome reader comments about anything in the

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

+! I agree this is needed. -- -jim Jim Willeke On Thu, Feb 2, 2017 at 4:33 PM, John Bradley wrote: > I am in favour of adoption. > > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig > wrote: > > > > Hi all, > > > > this is the call for adoption of

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

+ 1 On Thu, Feb 2, 2017 at 12:49 PM, Justin Richer wrote: > +1, it's a good topic and this document is a good starting point. > > -- Justin > > On 2/2/2017 2:09 AM, Hannes Tschofenig wrote: > > Hi all, > > this is the call for adoption of the 'OAuth Security Topics' document >

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

I am in favour of adoption. > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig > wrote: > > Hi all, > > this is the call for adoption of the 'OAuth Security Topics' document > following the positive call for adoption at the last IETF > meeting in Seoul. > > Here is the

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

+1 for me too :) On 2/2/17 2:09 AM, Hannes Tschofenig wrote: Hi all, this is the call for adoption of the 'OAuth Security Topics' document following the positive call for adoption at the last IETF meeting in Seoul. Here is the document:

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

+1, it's a good topic and this document is a good starting point. -- Justin On 2/2/2017 2:09 AM, Hannes Tschofenig wrote: Hi all, this is the call for adoption of the 'OAuth Security Topics' document following the positive call for adoption at the last IETF meeting in Seoul. Here is the

Re: [OAUTH-WG] OAuth for institutional users

+1 to Phil's reference to SCIM, and since it looks like you're looking to do end user authentication you should look at OpenID Connect: http://openid.net/connect/ There are a lot of ways to get an authentication protocol based on OAuth very, very wrong, and I've covered some of the big ones

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

I support adoption. -- Mike -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, February 1, 2017 11:10 PM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: OAuth Security Topics Hi all,

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

+1 Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com phil.h...@oracle.com > On Feb 2, 2017, at 11:11 AM, Anthony Nadalin wrote: > > I would be in

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

I would be in favor of this -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, February 1, 2017 11:10 PM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: OAuth Security Topics Hi all, this is the call for adoption of

Re: [OAUTH-WG] Alexey Melnikov's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS and COMMENT)

I was planning to stay with the characters specified in 6.1 (a) https://tools.ietf.org/html/draft-ietf-oauth-amr-values-05#section-6.1: a. require that Authentication Method Reference values being registered use only printable ASCII characters excluding double quote ('"') and

Re: [OAUTH-WG] OAuth for institutional users

You are headed down the road to a very big domain called identity management and provisioning. You might want to look at SCIM (RFC7643, 7644) for a restful api pattern. SCIM is usually OAuth enabled but the scopes/rights have not yet been standardized. There is however some obvious access

Re: [OAUTH-WG] Alexey Melnikov's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS and COMMENT)

Hi Mike, On Thu, Feb 2, 2017, at 03:05 PM, Mike Jones wrote: > I'd be OK limiting the protocol elements to using ASCII characters, if > that would be the IESG's preference. I think that would be much simpler for everybody. I still want to confirm that spaces are allowed in names. Can you

Re: [OAUTH-WG] Alexey Melnikov's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS and COMMENT)

I'd be OK limiting the protocol elements to using ASCII characters, if that would be the IESG's preference. -Original Message- From: Alexey Melnikov [mailto:aamelni...@fastmail.fm] Sent: Thursday, February 2, 2017 12:06 AM To: The IESG Cc:

Re: [OAUTH-WG] Decentralized OAuth2.0 -- FW: New Version Notification for draft-hardjono-oauth-decentralized-00.txt

What's needed would be (a) contracts servers that can talk to one another, (b) addition of pub-keys to some well known endpoints, and (c) some actual contracts with actual legal prose :-) The contract server could be treated as a protected endpoint (e.g. at the AS), but since contract