Hi all,
Mark McGloin and me have been working on OAuth 2.0 security
considerations for a couple of weeks now. Since we both cannot attend
the IETF-79 meetings, we would like to provide the WG with information
regarding the current status of our work. I therefore uploaded a
_preliminary_ version of our working document to the WG's wiki at
http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf.
The focus of this version was on consolidating previous work as well as
results of mailing list discussions and start working towards a rigorous
threat model.
Please give us feedback.
regards,
Torsten.
Am 07.11.2010 03:22, schrieb Hannes Tschofenig:
Hi all,
please consider attending the following two meetings!
** OAuth Security Session **
• Date: Monday, 13:00-15:00
• Location: IAB breakout room (Jade 2)
• Contact: Hannes Tschofenig hannes(_dot_)tschofenig(_at_)gmx(_dot_)net
The security consideration section of OAuth 2.0 (draft -10) is still empty.
Hence, we would like to put some time aside to discuss what security threats,
requirements, and countermeasures need to be described. We will use the Monday,
November 8, 1300-1500 slot to have a discussion session.
As a starting point I suggest to look at the following documents:
• http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations
• http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy
•
http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.txt
Note: If you are unfamiliar with OAuth then the OAuth tutorial session might be
more suitable for you!
** OAuth Tutorial **
• Date: Wednesday, 19:30 (after the plenary)
• Location: IAB breakout room (Jade 2)
• Contact: Hannes Tschofenig hannes(_dot_)tschofenig(_at_)gmx(_dot_)net
OAuth allows a user to grant a third-party Web site or application access to
their resources, without necessarily revealing their credentials, or even their
identity. The OAuth working group, see
http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to finalize
their main specification, namely OAuth v2:
http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/
Based on the positive response at the last IETF meeting (in Maastricht) we
decided to hold another OAuth tutorial, namely on *Wednesday, starting at 19:30
(after the IETF Operations and Administration Plenary) till about 21:00. (Note:
I had to switch the day because of the social event!)
It is helpful to read through the documents available int he working group but
not required.
Up-to-date information can be found here:
http://www.ietf.org/registration/MeetingWiki/wiki/79bofs
Ciao
Hannes
_______________________________________________
OAuth mailing list
OAuth(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf