Proposed OAuth 2.0 Assurance Session at IIW

As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the related posts below, I’ve been gnawing on that topic for awhile and IIW seems like a good place to bring it fully into the light of group synergy. Here’s my initial proposal:

Title: OAuth 2.0 Assurance

Outline

Problem statement: Provide an introduction to OAuth assurance based on my blogs and RFC 6819

General recommendations: Also part of intro presentation, explain that its necessary to address issues through profiling, testing and secure implementation and operations

Scope: Focus on the basic OAuth 2.0 specification, not getting into unresolved issues related to the many proposed extensions, such as token contents, or semantics

Discussion topic 1: What would be a reasonable framework for OAuth 2.0 assurance levels, and how might those map to NIST Levels of Assurance (LOAs) 1 or 2?

Discussion topic 2: What are “10 commandments” for Secure OAuth 2.0 (or “10 deadly sins to avoid”) and how would we test for them?

Discussion topic 3: Future plans – how can we carry the output of this session forward? Is there a home somewhere for an OAuth 2.0 assurance standards group? Would some organization (or group) be willing to work on standing up a test server to look for the 10 deadly sins? Would some organization (or group) be willing to work developing secure, open source OAuth libraries validated to follow the 10 commandments?

I already have a few folks interested in this panel and contributing ideas but would welcome a lot more. If you’re attending IIW 17 and interested in contributing, please let me know via one of my communications channels such as @danblumSS or the comments thread on this post.

• http://iiw.idcommons.net/Main_Page
• http://iiw.idcommons.net/images/1/13/IIW16_Book_of_Proceedings.PDF