ietf
[Top] [All Lists]

RE: [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **

2010-11-08 22:47:36
I was looking for less of an analysis and more of considerations (of the 
current flows and actors), I'm not sure how to adapt what you have done to 
actually fit in the current specification, was your thought that you would 
produce a separate security analysis document?

-----Original Message-----
From: oauth-bounces(_at_)ietf(_dot_)org 
[mailto:oauth-bounces(_at_)ietf(_dot_)org] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 07, 2010 3:04 PM
To: Hannes Tschofenig
Cc: abfab(_at_)ietf(_dot_)org; rai(_at_)ietf(_dot_)org; 
ietf(_at_)ietf(_dot_)org; secdir(_at_)ietf(_dot_)org; 
websec(_at_)ietf(_dot_)org; xmpp(_at_)ietf(_dot_)org; 
kitten(_at_)ietf(_dot_)org; iab(_at_)iab(_dot_)org Board; 
iesg(_at_)ietf(_dot_)org; oauth(_at_)ietf(_dot_)org
Subject: Re: [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **

Hi all,

Mark McGloin and me have been working on OAuth 2.0 security considerations for 
a couple of weeks now. Since we both cannot attend the IETF-79 meetings, we 
would like to provide the WG with information regarding the current status of 
our work. I therefore uploaded a _preliminary_ version of our working document 
to the WG's wiki at 
http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf.
 
The focus of this version was on consolidating previous work as well as results 
of mailing list discussions and start working towards a rigorous threat model.

Please give us feedback.

regards,
Torsten.

Am 07.11.2010 03:22, schrieb Hannes Tschofenig:
Hi all,

please consider attending the following two meetings!

** OAuth Security Session **

      * Date: Monday, 13:00-15:00
      * Location: IAB breakout room (Jade 2)
      * Contact: Hannes Tschofenig hannes(_dot_)tschofenig(_at_)gmx(_dot_)net 
The security 
consideration section of OAuth 2.0 (draft -10) is still empty. Hence, we 
would like to put some time aside to discuss what security threats, 
requirements, and countermeasures need to be described. We will use the 
Monday, November 8, 1300-1500 slot to have a  discussion session.

As a starting point I suggest to look at the following documents:

      * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations
      * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy
      * 
http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.
txt

Note: If you are unfamiliar with OAuth then the OAuth tutorial session might 
be more suitable for you!



** OAuth Tutorial **

      * Date: Wednesday, 19:30 (after the plenary)
      * Location: IAB breakout room (Jade 2)
      * Contact: Hannes Tschofenig hannes(_dot_)tschofenig(_at_)gmx(_dot_)net 
OAuth allows a 
user to grant a third-party Web site or application access to their 
resources, without necessarily revealing their credentials, or even 
their identity. The OAuth working group, see 
http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to 
finalize their main specification, namely OAuth v2: 
http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/

Based on the positive response at the last IETF meeting (in 
Maastricht) we decided to hold another OAuth tutorial, namely on 
*Wednesday, starting at 19:30 (after the IETF Operations and 
Administration Plenary) till about 21:00. (Note: I had to switch the 
day because of the social event!)

It is helpful to read through the documents available int he working group 
but not required.

Up-to-date information can be found here: 
http://www.ietf.org/registration/MeetingWiki/wiki/79bofs

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf