Hannes Tschofenig

Personal blog about various IETF and Internet related activities


ACE BOF & Tutorials (about Kerberos, PKI, AAA, OAuth, and ABFAB)

At the last IETF meeting early March in London I had the pleasure to co-chair the Authentication and Authorization for Constrained Environments (ace) BOF with Kepeng.
The picture of the flyer we distributed during the meeting should give you a rough idea what the topic is about.


(We are also working on the charter text that provides more details. The latest version can be found here and it is discussed on this mailing list.)

Here is my high-level summary of the BOF, which went pretty well (IMHO).

In a nutshell, we are trying to standardize an authentication and authorization protocol for use with constraint devices that makes use of a trusted third party.

In preparation for the BOF we scheduled a few tutorials about relevant technologies. Slides and recordings of the presentations are available.

  1. Kerberos (by Thomas Hardjono): Slides and recordings in ARF and MP4 format.
  2. OAuth (by Justin Richer): Slides  and recordings in ARF and MP4 format.
  3. “PKI/Certificate Model” (by Sean Turner): Slides and recordings in ARF and MP4 format.
  4. AAA (by Lionel Morand during the IETF EDU session): Slides

Note: .arf files are Webex recordings. You might need to use a Webex player. See http://www.webex.com/play-webex-recording.html

UPDATE: We scheduled the ABFAB tutorial on April 22nd; the slides and recordings in ARF and MP4 format are also available for download.

3 Responses to “ACE BOF & Tutorials (about Kerberos, PKI, AAA, OAuth, and ABFAB)”

  1. Webinar about the Kantara User-Managed Access (UMA) working group to the IETF ACE Working Group « Hannes Tschofenig Says:

    […] Early 2014 we organized a couple of webinars to hear about technologies that allowed to provide authentication of Internet of Things devices and to control access to resources. We learned more about OAuth, Kerberos, and the PKI/certificate model and all talks have been recorded and can be found at http://www.tschofenig.priv.at/wp/?p=1012 […]

  2. Catherine Says:

    Hi, I have a use case where I have a mobile apotcialipn requesting information from a web apotcialipn (resource server). Both these apotcialipn is our own. Would you recommend using OAuth 2.0 for this?

  3. Hannes Tschofenig Says:

    If you allow users to log into your web application also from a browser in addition to the smart phone app I would use OAuth 2.0. This allows you to avoid having to store the long term password of the user in your mobile app. Please have a look at the guidance provided in draft-wdenniss-oauth-native-apps-00 for the use of mobile apps. Here is a link to a slide deck: IETF#94 OAuth Native Application Guidelines

    If you additionally envision that you might outsource the login procedure to some other website in the future then I would also take a look at OpenID Connect.

Leave a Reply