Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

document defining SD-CWT to the IESG for publication * 03-2026 - Submit a document as a proposed standard covering Metadata Discovery to the IESG for publication <https://datatracker.ietf.org/doc/charter-ietf-spice/00-00/#introduction> Introduction <https://datatracker.ietf.

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

arter-ietf-spice/00-00/#milestones> Milestones From: Orie Steele Sent: Monday, February 19, 2024 6:15 PM To: Anthony Nadalin Cc: Roman Danyliw ; oauth Subject: Re: [OAUTH-WG] FW: Call for consensus on SPICE charter Inline: On Mon, Feb 19, 2024, 7:34 PM mailto:nada...@prodigy

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

Orie, thanks for the response I’m still confused on this charter proposal as I read this charter it is to create architecture, patterns and definitions for electronic credentials. The charter should be free of any technology including W3C, if people want clarity about what an electronic cred

Re: [OAUTH-WG] FW: Call for consensus on SPICE charter

1) Do you support the charter text? Or do you have objections or blocking concerns (please describe what they might be and how you would propose addressing the concern)? Not sure I support at this point, I understand the need for an architecture document with patterns and definitions, etc. Th

Re: [OAUTH-WG] Call for Adoption: DPoP

+1 From: OAuth On Behalf Of Mike Jones Sent: Tuesday, March 17, 2020 8:14 AM To: Rifaat Shekh-Yusef ; oauth Subject: [EXTERNAL] Re: [OAUTH-WG] Call for Adoption: DPoP I am for adoption of DPoP. -- Mike From: OAuth mailto:oauth-boun...@iet

Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant

I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still. From: OAuth On Behalf Of Dick Hardt Sent: Tuesday, February 18, 2020 12:37 PM To: oauth@ietf.org Subject

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

I know you were too polite ! From: Steinar Noem Sent: Saturday, August 10, 2019 11:04 AM To: Nat Sakimura Cc: Anthony Nadalin ; Mike Jones ; OAuth WG Subject: Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop That is good to hear, Nat. I tried to be as polite as possible in

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

How about the University in Gjovik ? Get Outlook for Android From: OAuth on behalf of Daniel Fett Sent: Wednesday, August 7, 2019 11:47:51 PM To: Dick Hardt ; dba...@leastprivilege.com Cc: Mike Jones ; OAuth WG Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support adoption of this draft as a working group document with the following caveats: 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed -Original Message- From:

Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"

I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Thursd

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

I was dialed in and no one was there From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, June 18, 2018 2:06 PM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours Rifaat was on the call for 30mins but nobody joined. I couldn’t

Re: [OAUTH-WG] Token Exchange - IPR Disclosure

I am not aware of any IPR on the token exchange document. From: Rifaat Shekh-Yusef [mailto:rifaat.i...@gmail.com] Sent: Thursday, November 23, 2017 8:14 AM To: draft-ietf-oauth-token-exchange@ietf.org; oauth Cc: Hannes Tschofenig Subject: Token Exchange - IPR Disclosure Authors, As part o

Re: [OAUTH-WG] Token Binding Presentations?

I'm unaware of any support for "OAuth" Token Binding from Microsoft, so I assume you are talking just about Token Binding cookies From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Friday, March 17, 2017 10:43 AM To: Jim Manico Cc: IETF OAUTH Subject: Re: [OAUTH-WG] Tok

Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document

I'm still getting feedback on the Windows examples that are pointed to by the spec, since it's not a simple case on Windows -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, March 6, 2017 8:00 AM To: oauth@ietf.org Subject: [OAUTH

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt

Not true John, the CTAP support that is current would support the web-view w/o any changes -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Monday, March 6, 2017 12:16 PM To: Hannes Tschofenig Cc: internet-dra...@ietf.org; oauth@ietf.org Sub

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt

I also think that this can be useful outside of Token Binding as this we have been looking at use cases for offline access tokens (or ID Tokens), and this sort of forms the basis for this approach From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Thursday, March 2, 2017

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

I would be in favor of this -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, February 1, 2017 11:10 PM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: OAuth Security Topics Hi all, this is the call for adoption of t

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

We have interoped between FIDO authenticators vendors and Windows Hello -Original Message- From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] Sent: Wednesday, February 1, 2017 4:24 PM To: Mike Jones ; Anthony Nadalin ; joel jaeggli ; The IESG Cc: oauth-cha...@ietf.org; draft

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

and thus want tto make sure there is a way to distinguish during the authentication since the iris scan reduces the probability of error -Original Message- From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] Sent: Wednesday, February 1, 2017 4:15 PM To: Anthony Nadalin ; Mike Jones

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

NIST asked for the addition of IRIS (as they are seeing more use of IRIS over retina due to the accuracy of iris) as they have been doing significant testing on various iris devices and continue to do so, here is a report that NIST released http://2010-2014.commerce.gov/blog/2012/04/23/nist-ir

Re: [OAUTH-WG] Future of PoP Work

I would like to see us proceed with the symmetric PoP work in Oauth WG and stop the HTTP Signing work all together From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, October 19, 2016 12:54 PM To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] F

Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

I’m not aware of any IPR From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Tuesday, September 20, 2016 8:54 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation I am aware of no IPR. Phil On

Re: [OAUTH-WG] Following up on token exchange use case

Things have gotten so muddled not sure where to begin, the original goal of this draft was to provide the function that we use in daily high volume production of WS-Trust as we transition to Oauth. WS-Trust provided many options, one was ActAs and the other was OnBehalfOf, these were 2 distinct

Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-binding-00

Re: [OAUTH-WG] OAuth Security -- Next Steps

Sounds about right, but I would imagine that the BCP would cover any issue that arises not just mix-up -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, July 25, 2016 3:59 AM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth Security --

Re: [OAUTH-WG] RT treatment in Token Exchange

So I think the proposed wording is still too specific and limits the use case , I also don’t understand the usage of “credential” in your description as this does not have to be a credential. So suggest that this be simple and if you want you can explain in the security considerations section wh

Re: [OAUTH-WG] closing an open issue about supplementary info in the Token Exchange request

Sounds appropriate From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, June 20, 2016 10:16 AM To: oauth Subject: [OAUTH-WG] closing an open issue about supplementary info in the Token Exchange request A good while back in an off list conversation about Token Ex

Re: [OAUTH-WG] Reminder: OAuth Security Workshop

Can I also suggest that a PayPal or Credit Card payment be added as a means as bank transfer for corporate folks is like impossible -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Monday, May 16, 2016 4:25 AM To: Hannes Tschofenig ; oauth@ietf

Re: [OAUTH-WG] Multi-AS State Re-Use

STATE can be anything, it does not have to be a NONCE so changing this would cause issues at this time for existing deployments From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, May 9, 2016 7:34 PM To: Guido Schmitz ; oauth@ietf.org Subject: Re: [OAUTH-WG] Multi-

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Nadalin ; Subject: Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0 +1 to Torsten’s point. And a reminder to Tony that call for adoption is the *start* of the document editing process, not the end. We’re not saying this is a complete solution with everything thought out when we

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

So it’s an incomplete solution then ? From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Monday, April 11, 2016 1:34 PM To: Anthony Nadalin Cc: Nat Sakimura ; Subject: Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0 No, I'm not adding requirement

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

So now you are adding more requirements for encryption ? The more this thread goes on shows how unstable and not fully thought out this draft is to go through WG adoption. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, April 11, 2016 12:30 PM To: Nat Sakimu

[OAUTH-WG] Token Binding and RFC5705

At the informal Token Binding meeting we had a discussion of Java servers supporting TB, the support would have to come out of JSSE, kere is the analysis on what it would take to change JSSE Implementing 5705 itself, would not take too long and appears to be pretty straightforward. The EKM is

Re: [OAUTH-WG] OAuth 2.1

I don't belive that scopes should be defined more precisely as this opaqueness was a design feature, I'm not seeing the reason why scopes need to be defined, as these are application specific. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

: Wednesday, April 6, 2016 1:13 PM To: Anthony Nadalin Cc: Phil Hunt (IDM) ; oauth@ietf.org Subject: Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0 Multiple resources are there now. I have no idea what "interaction with Token Exchange" means. Can you please explain? On

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I would like to see the multiple resources servers, interaction with Token Exchange resolved before this is adopted to see if this will actually solve the problems From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, April 6, 2016 12:52 PM To: Phil Hunt (IDM)

Re: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20

Wasn't this the task of the design team ? -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 6, 2016 10:48 AM To: oauth@ietf.org Subject: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20 Hi all, during the f2f

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

6, 2016 5:52 AM To: Anthony Nadalin Cc: Gil Kirkpatrick ; Nat Sakimura ; Phil Hunt (IDM) ; s...@ietf.org; oauth@ietf.org Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment Sounds like there is interest. SCIM or OAUTH? -- Dick On Apr 6, 2016, at 8:57 AM, Anthony Nadalin mailto:tony

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I would be interested also Sent from my Windows 10 phone From: Gil Kirkpatrick Sent: Wednesday, April 6, 2016 4:16 AM To: 'Nat Sakimura'; 'Hardt, Dick'; 'Phil Hunt (IDM)' Cc: s...

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

uth 2.1 that describes the available extensions and when/why one would use them. On Mon, Mar 14, 2016 at 4:29 PM, Anthony Nadalin mailto:tony...@microsoft.com>> wrote: I would really like to see a comprehensive solution not this piece work, so we know what we are solving and what we are no

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

I would really like to see a comprehensive solution not this piece work, so we know what we are solving and what we are not. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hans Zandbelt Sent: Monday, March 14, 2016 3:26 PM To: Phil Hunt (IDM) ; John Bradley C

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

draft-hunt-oauth-bound-config-00.txt Date: March 13, 2016 at 3:53:37 PM PDT To: "Phil Hunt" mailto:phil.h...@yahoo.com>>, "Anthony Nadalin" mailto:tony...@microsoft.com>>, "Tony Nadalin" mailto:tony...@microsoft.com>> A new version of I-D, draft-hun

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

incomplete There are still documents from Nat, and I believe there will be one from Phil and maybe others. From: Mike Jones Sent: Saturday, March 12, 2016 8:29 AM To: Anthony Nadalin ; Brian Campbell ; John Bradley Cc: oauth Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery The

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

From: Mike Jones Sent: Saturday, March 12, 2016 8:06 AM To: Anthony Nadalin ; Brian Campbell ; John Bradley Cc: oauth Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery The draft enables easy configuration of OAuth clients with an AS. For instance, the Microsoft “ADAL” OAuth

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Sorry but not true, this started out as “discovery” and now it’s not From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 11, 2016 3:59 PM To: Anthony Nadalin Cc: John Bradley ; oauth Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery That *is* the

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

and destination in the first place and returned both dst and scope in the response all along, so this is update that is consistent with the eisting architecture of OAuth 2. Lets keep the two issues separate. John B. On Mar 11, 2016, at 12:07 AM, Anthony Nadalin mailto:tony...@microsoft.com>

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

There have been way too many issues, confused conversations and discussions on and off list to have this document move forward, suggest that this be one of the main items on the agenda for when we meet. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Thursday, Marc

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

The relationship between AS and RS need to be scoped to “does this RS accept tokens from this AS” as a list is too much information that could be used in the wrong way From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Thursday, March 10, 2016 6:25 PM To: Phil Hunt (IDM)

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt

To: Anthony Nadalin ; oauth Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt Link relation is not at all XML. It is a step forward to RESTfulness. In the older version of the draft, I was using JSONized version of it as well, but I splitted it out for the

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Sure there is, it is as you have now made it far easier and the security considerations does not even address this From: Mike Jones Sent: Wednesday, February 24, 2016 10:22 AM To: Anthony Nadalin Cc: Subject: RE: [OAUTH-WG] OAuth 2.0 Discovery Location As we’d discussed in person, there’s no

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

> The point of the WGLC is to finish standardizing the core discovery > functionality that’s already widely deployed. That may be widely deployed for OIDC but not widely deployed for OAuth. There are some authentication mechanism discovery for endpoint that really should not be in an OAuth stand

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

I hear that many folks don't want to add a mandatory crypto operation on the client side :-( -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Tuesday, February 23, 2016 3:17 PM To: Roland Hedberg Cc: Subject: Re: [OAUTH-WG] Fixing the Autho

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

I would go with option A, option B introduces concepts/syntax that complicates the current Oauth model -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Friday, February 19, 2016 11:43 AM To: oauth@ietf.org Subject: [OAUTH-WG] Fixing the A

Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

y that have not been addressed. -Original Message- From: Mike Jones Sent: Thursday, February 18, 2016 10:18 AM To: Anthony Nadalin ; Hannes Tschofenig ; Phil Hunt ; John Bradley Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence It's the OAuth-

Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

I also think we are way far from last call (and surprised to see last call issued) on this document as it is still very complex for something that should be very simple -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt

I really think that this is a step backwards relative to technology and what the developers would accept. The Link Relations takes us back to the XML days, I thought we have all moved on from that and at least trying to move Oauth to JSON. I think if this were adopted we might be splitting the d

Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

This work had many issues in the OpenID WG where it failed why should this be a WG item here ? The does meet the requirements for experimental, there is a fine line between informational and experimental, I would be OK with either but prefer experimental, I don’t think that this should become a

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

+1 From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of William Denniss Sent: Wednesday, January 20, 2016 6:30 PM To: John Bradley ; Phil Hunt (IDM) Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation +1 for adoption, this is important work. On Thu, Jan

Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

After reading this draft I think that this may be better off as an experimental draft and not a WG draft -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Tuesday, January 19, 2016 3:47 AM To: oauth@ietf.org Subject: [OAUTH-WG] Call for a

Re: [OAUTH-WG] IETF 95 - Buenos Aires

I’m afraid that I would have to agree with Brian (hopefully this is not a trend) From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Friday, January 15, 2016 9:16 AM To: Hannes Tschofenig Cc: oauth@ietf.org; Rolando Martínez Subject: Re: [OAUTH-WG] IETF 95 - Buenos Aire

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

I can say on all windows based devices (pc, xbox, phone, etc) with only TPM 1.1 this will be the approach so it will be commonly used -Original Message- From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Wednesday, November 4, 2015 8:52 PM To: Anthony Nadalin Cc: Justin Richer

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

: Wednesday, November 4, 2015 8:48 PM To: Anthony Nadalin Cc: John Bradley ; Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment That’s only if you’re using good hardware to produce a key. We can’t assume that’s the only kind of client that will

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Not sure why you think its weaker as it would be a wrapped key that the hardware produces -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, November 4, 2015 8:43 PM To: Justin Richer Cc: Subject: Re: [OAUTH-WG] Proof-of-Possessio

Re: [OAUTH-WG] confirmation model in proof-of-possession-02

d011db47%7c1&sdata=mVCW7aDWJwiUWjKY4XRik1hMJ >> gcxsZO85KRedzj%2bJkY%3d in which he stated that "flattening would be >> a bad direction". Nat also implicitly endorsed keeping "cnf" in his >> WGLC review comments in >> https://na01.safelinks.protectio

Re: [OAUTH-WG] Use of Token Exchange spec for API Federation

So in your scenario where you have client (c), user (u), resource (r) and resource 1(r1) does the flow go like U->C->R-R1 or U->C->R and U->C->R1 ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Chuck Mortimore Sent: Wednesday, July 15, 2015 12:47 PM To: OAuth WG ; Mike Jones Subject:

Re: [OAUTH-WG] Token Chaining Use Case

I’m not sure how Brian’s approach solves the basic generic token exchange use case that we have From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, July 7, 2015 4:47 PM To: Mike Jones Cc: Subject: Re: [OAUTH-WG] Token Chaining Use Case This approach is not a

Re: [OAUTH-WG] JWT Token on-behalf of Use case

use case then what the feature of https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-01#section-1.3 describes. From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Monday, July 6, 2015 2:33 PM To: Anthony Nadalin Cc: Mike Jones ; oauth Subject: Re: [OAUTH-WG] JWT Token on

Re: [OAUTH-WG] JWT Token on-behalf of Use case

The WS-Trust “ActAs” mimics the Windows Kerberos Protocol Transition (impersonation) feature as this enables an account to impersonate another account for the purpose of providing access to resources. In a typical scenario, the impersonating account would be a service account assigned to a web

Re: [OAUTH-WG] JWT Token on-behalf of Use case

Not quite, the actual tokens are still opaque, the requestor is just asking for a token exchange , the requestor can specify the requested token type it's up to the server to determine the actual token it will delever -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Beha

Re: [OAUTH-WG] JWT Destination Claim

There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with Sent from my Windows Phone From: Brian Campbell

[OAUTH-WG] Token Introspection: Misc Review Comments

Some comments: > The endpoint MAY allow other parameters to provide further context to the > query. If the endpoint does not understand these the endpoint must ignore. The only MUST in this specification is to return the "active" Boolean, but this is still underspecified as there is no definit

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

invented structure. So how do I tell what "cnf" really is ? Is this proposal also limited to a single key for both asymmetric and symmetric ? -Original Message- From: Mike Jones Sent: Wednesday, March 4, 2015 3:34 PM To: Anthony Nadalin; Hannes Tschofenig; oauth@ietf.org

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

Why does the specification state "encrypted to a key known to the recipient using the JWE Compact Serialization" is this the only serialization allowed (there is no MUST) ? containing the symmetric key. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Ts

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

>The definition of “active” is really up to the authorization server, and I’ve >yet to hear from an actual implementor who’s confused by this definition. When >you’re the one issuing the tokens, you know what an “active” token means to you According to the spec as written the Introspection endpo

Re: [OAUTH-WG] draft-ietf-oauth-introspection

ion. What about the Audience restricted tokens, do you expect the endpoint to ignore this and process the tokens for metadata ? From: Justin Richer [mailto:jric...@mit.edu] Sent: Monday, December 1, 2014 4:42 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-

Re: [OAUTH-WG] draft-ietf-oauth-introspection

ot;active" is supposed to mean so folks get the same results on different endpoints From: Justin Richer [mailto:jric...@mit.edu] Sent: Sunday, November 30, 2014 6:57 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-introspection Tony, thanks for the commen

[OAUTH-WG] draft-ietf-oauth-introspection

Comments Intro "about the authentication conext", not sure what this is since there is no authentication context in Oauth Use of Oauth2, mixed with use of Oauth, pick one "allows holder of a token to query" so anything/anyone that has a token can use this endpoint? Introspection Endpoint Use of

Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call

Same here -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, October 16, 2014 10:17 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call For what it's worth, I was on th

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Add me -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, September 11, 2014 3:30 PM To: oauth@ietf.org Cc: Derek Atkins Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong? Hi all, at the last IETF meeting Mike gave a

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I don't see it that way as the guidelines not clear and we should revisit this since there was no conclusion in Toronto. -Original Message- From: Richer, Justin P. [mailto:jric...@mitre.org] Sent: Thursday, September 11, 2014 8:01 AM To: Anthony Nadalin Cc: Hannes Tschofenig;

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Is "experimental" the correct classification? Maybe "informational" is more appropriate as both of these were discussed. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, September 10, 2014 4:50 PM To: oauth@ietf.org Subject: [

Re: [OAUTH-WG] Working Group Last Call on "Symmetric Proof of Possession for the OAuth Authorization Code Grant"

Not all of us look at individual drafts, and thus I have not previously read this, but I did this morning and find that there are issues with the way the "code challenge" is specified as this requires pre negation of what/how that value was achieved and a large scale deployment that is almost im

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

I read the draft and just don’t get it, it overloads some of the basic semantics, I’m not quite sure you get the concept of token exchange, has what you described been deployed ? or even built ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, August 11, 2014

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

John this is for the people that did not hum at the face to face and not just for the people not at the face to face. Sent from my Windows Phone From: John Bradley Sent: ‎7/‎30/‎2014 7:20 AM To: Sergey Beryozkin

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

I think we need management APIs now to manage the new endpoint, but seriously this introspection proposal has privacy issues, to avoid these I would encrypt the tokens and then this would be a useless endpoint, also this has issues with symmetric POP tokens, but maybe this was only designed to w

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Oh yea, real different, give me a freaking break From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 24, 2014 6:31 PM To: Anthony Nadalin Cc: John Bradley; oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt The

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

OMG, how can you say that when the Dynamkc Reg does the same thing (duplicates) but that is OK to do From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 24, 2014 10:22 AM To: John Bradley Cc: oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notifica

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

I’m sure it was spun in a way that could be true since there was no technical value to Ian’s statement and I’m sure that folks had not read or understand the usage. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 24, 2014 6:53 AM To: Nat Sakimura Cc:

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

if we take Ian’s non technical advice then most of the work in Oauth should be put down. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Thursday, July 24, 2014 5:29 AM To: John Bradley Cc: oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notification for draf

Re: [OAUTH-WG] Shepherd Writeup for Dynamic Client Registration Draft

Is your implementation from the OpenID Connect specification of from the IETF specification From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Edmund Jay Sent: Tuesday, July 15, 2014 11:01 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Shepherd Writeup for Dynamic Client R

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

do plan to refresh this draft too allow for a more flexible trust model shortly. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, July 03, 2014 12:04 PM To: Brian Campbell Cc: oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] draft-jones-

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

I’m lost, the terms defined in the oauth token-exchange draft are the same terms defined in ws-trust and have the same definitions From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 3, 2014 12:02 PM To: Anthony Nadalin Cc: Vladimir Dzhuvinov; oauth@ietf.org Subject: Re

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

The explanation of on-behalf-Of and ActAs are correct in the document as defined by WS-Trust, this may not be your desire or understanding but that is how WS-Trust implementations should work From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 3, 2014 11:

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

Delegation From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] Sent: Thursday, June 5, 2014 12:45 PM To: Anthony Nadalin Cc: Bill Mills; Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c Examples? Am 05.06.2014 um 21:42 schrieb Anthony

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

It’s great but some ways but also very limiting if you are counting on certain requirements to be represented in the access token From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Thursday, June 5, 2014 12:40 PM To: Bill Mills Cc: Phil Hunt; oauth@ietf.org Subject

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Where is the confusion ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing http://tools.ietf.or

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

a4c. From: Chuck Mortimore [mailto:cmortim...@salesforce.com] Sent: Wednesday, May 14, 2014 9:39 AM To: Anthony Nadalin Cc: Phil Hunt; Brian Campbell; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering Can you point to one publicly available or publicly documented

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Please list the implementstions From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing http://tools.

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

I agree with Phil on this one, there are implementations of this already and much interest From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Wednesday, May 14, 2014 8:32 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

I have to agree with Phil on this as there are already spec out there that use HoK and PoP , either of these work but prefer HoK as folks get confused with PoP as we have seen this within our company already From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, Apri

  1   2   3   4   >