ACE BOF & Tutorials (about Kerberos, PKI, AAA, OAuth, and ABFAB)

At the last IETF meeting early March in London I had the pleasure to co-chair the Authentication and Authorization for Constrained Environments (ace) BOF with Kepeng.
The picture of the flyer we distributed during the meeting should give you a rough idea what the topic is about.


(We are also working on the charter text that provides more details. The latest version can be found here and it is discussed on this mailing list.)

Here is my high-level summary of the BOF, which went pretty well (IMHO).

In a nutshell, we are trying to standardize an authentication and authorization protocol for use with constraint devices that makes use of a trusted third party.

In preparation for the BOF we scheduled a few tutorials about relevant technologies. Slides and recordings of the presentations are available.

  1. Kerberos (by Thomas Hardjono): Slides and recordings in ARF and MP4 format.
  2. OAuth (by Justin Richer): Slides  and recordings in ARF and MP4 format.
  3. “PKI/Certificate Model” (by Sean Turner): Slides and recordings in ARF and MP4 format.
  4. AAA (by Lionel Morand during the IETF EDU session): Slides

Note: .arf files are Webex recordings. You might need to use a Webex player. See

UPDATE: We scheduled the ABFAB tutorial on April 22nd; the slides and recordings in ARF and MP4 format are also available for download.

3 thoughts on “ACE BOF & Tutorials (about Kerberos, PKI, AAA, OAuth, and ABFAB)

  1. Hi, I have a use case where I have a mobile apotcialipn requesting information from a web apotcialipn (resource server). Both these apotcialipn is our own. Would you recommend using OAuth 2.0 for this?

    1. If you allow users to log into your web application also from a browser in addition to the smart phone app I would use OAuth 2.0. This allows you to avoid having to store the long term password of the user in your mobile app. Please have a look at the guidance provided in draft-wdenniss-oauth-native-apps-00 for the use of mobile apps. Here is a link to a slide deck: IETF#94 OAuth Native Application Guidelines

      If you additionally envision that you might outsource the login procedure to some other website in the future then I would also take a look at OpenID Connect.

Leave a Reply

Your email address will not be published. Required fields are marked *