OAuth Security Workshop 2017
Summary
OAuth is a critical component of the Internet infrastructure. OAuth enables the user to authorize a third-party application or service to obtain limited access to any service or account owned by the user. The security of the OAuth protocol is therefore paramount as otherwise large-scale loss, theft, or corruption of user data can be the result. To this end we want to bring together experts from industry and the research community with the goal of improving the assurances provided by OAuth and increasing its quality.
This meeting is organized by the IETF OAuth Working Group (WG) which is convinced that the wider Internet security community can help to improve the security of Internet protocols. In an attempt to reach out to all manners of security experts, from research, industry, and standardization bodies, the WG will hold this workshop on OAuth security during the week before the summer IETF meeting, namely on July 13th and 14th 2017 in Zürich/Switzerland, hosted by the Zurich Information Security and Privacy Center of ETH Zurich.
Event Details
When: July 13&14, 2017
Where: ETH Zürich, Alumni Pavillon, Rämistrasse 101, 8092 Zürich
Please note that due to construction work at the tram stop “Central” it may take you longer to get to the Alumni Pavillon than route planners will suggest, particularly if you are arriving from the main train station (Zurich HB). The funicular “Polybahn” is your easiest way up the hill, but will be very busy.
Registration
For the general public: https://zisc.ethz.ch/event/oauth-security-workshop-2017/
For ZISC affiliates: https://zisc.ethz.ch/event/oauth-security-workshop-2017-internal/
Schedule
Thursday
08:30-09:00 | Registration and coffee | |
09:00-09:15 | Torsten Lodderstedt, YES Europe | Opening Remarks |
09:15-10:15 | David Basin, ETH Zurich | Security Protocols at ETHZ slides |
10:15-10:30 | break | |
10:30-11:30 | Cas Cremers, University of Oxford | Automated analysis and the subtleties of authentication: Adventures in TLS 1.3 (Invited Talk) slides |
11:30-11:45 | break | |
11:45-12:30 | Michael Jones, Microsoft | OAuth Token Binding: Status and Next Steps slides |
12:30-13:15 | Denis Pinkas, DP Security Consulting | A privacy by design eID scheme supporting Attribute-based Access Control (ABAC) slides-scheme slides-German-eID paper |
13:15-14:45 | Lunch at Dozentenfoyer (directions) | |
14:45-15:30 | Naveen Agarwal, Breno de Medeiros, Google | OAuth & Phishing – Experiences @ Google slides |
15:30-16:15 | Torsten Lodderstedt, John Bradley | OAuth security slides |
16:15-16:45 | break | |
16:45-17:30 | Sven Hammann, ETHZ | Proposing a new Private Mode for Open ID Connect slides |
18:00 | Dinner at The Alehouse – Palmhof (location) |
Friday
08:30-09:00 | Coffee | |
09:00-09:45 | Daniel Fett, Ralf Kuesters, and Guido Schmitz, Universität Stuttgart | The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines slides |
09:45-10:30 | Nat Sakimura, Nomura Research Institute | Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the application of BCM Principles slides paper |
10:30-10:45 | break | |
10:45-11:30 | Hannes Tschofenig, ARM | Lessons learned from security protocol design: Meaningful content for security consideration sections of technical specifications slides |
11:30-11:45 | break | |
11:45-12:30 | William Denniss (presented by John Bradley), Google | Improving Native App OAuth Security with External User Agents slides |
12:30-13:15 | Go Yamamoto, Richard Boyer, Kenji Takahashi, and Nat Sakimura, Nomura Research Institute | Asserting Access Tokens from the Transport Layer slides |
13:15-14:45 | Lunch at Dozentenfoyer (directions) | |
14:45-15:30 | Jacob Ideskog, Curity | Simplified Integration of OAuth into JavaScript Applications slides |
15:30-16:00 | break | |
16:00-16:45 | Antonio Sanso, Adobe | Invalid curve attack in JWE ECDH-ES slides |
16:45-17:30 | General Discussion |
Program Committee
Chairs
- David Basin (ETH Zurich)
- Torsten Lodderstedt (YES Europe)
Members
- John Bradley (Ping Identity)
- Ralf Küsters (University of Stuttgart)
- Chris Mitchell (Royal Holloway University of London)
- Anthony Nadalin (Microsoft)
- Nat Sakimura (Nomura Research Institute)
- Ralf Sasse (ETH Zurich)
- Jörg Schwenk (Ruhr University Bochum)
- Hannes Tschofenig (IETF OAuth Working Group Co-Chair)
Organizing Committee
- David Basin (ETH Zurich)
- Torsten Lodderstedt (YES Europe)
- Ralf Sasse (ETH Zurich)
Administration
- Barbara Pfändner (ETH Zurich)
Invited Speaker
- Cas Cremers, University of Oxford
Hotels
These hotels are within walking distance of the venue, but there are plenty more hotels in the Zurich area.
Important Dates
-
Position paper submission deadline:
May 2, 2017extended to May 9, 2017 (AoE, UTC-12). -
Author notification:
May 15delayed to May 22, 2017. -
Registration deadline: June 16, 2017.
-
Workshop: July 13 and July 14, 2017.
Call for Position Papers
Contact
For further questions please contact the organizing committee at ralf.sasse@inf.ethz.ch