[OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 19 February 2016 19:42 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F2F1B2B25 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 11:42:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.606
X-Spam-Level:
X-Spam-Status: No, score=-2.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VYWsce55tn8 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 11:42:28 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC52F1AC3E0 for <oauth@ietf.org>; Fri, 19 Feb 2016 11:42:27 -0800 (PST)
Received: from [192.168.10.140] ([195.149.218.208]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MKbZD-1aUw4M20jn-001wW6 for <oauth@ietf.org>; Fri, 19 Feb 2016 20:42:25 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <56C7702B.2000401@gmx.net>
Date: Fri, 19 Feb 2016 20:42:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GsTROuPn7vlEwrWMDAdqTkEJMluUHexP8"
X-Provags-ID: V03:K0:j12PMSFwOuKBkTisd9X+dZNqLIqeuWmJr+5h9yAXMSg4Glq/JLk sRH+KLFdhYmcH/cfDghnyMFH6dWosfKGaU58JuwiawX7z8pN5/8EYLLehVemPurMTy6LSbp AAlOz8Jiiw3lfhEUwXHIR5Sd9JOkZw9+wA4dGEyfkA2DliPeMisT5COdsrN5NbZ9X3RRvjl T7JHX0QsdJ3iOtWzv1ezA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:QmM8v+h6PXI=:Wv+OqWhMzCHP7s9+6froHL RtphOgXKPl9x1rtHq2/5dP5VjgR76h2n6/6qKlu+e+Sc/MvpSNp+5A7S+R0L9nz2mWbhvgn9K M2PxpP++ieRZl3Ccl8rD4k/+olF3oheMkcRGl3EtGeqH2X5ZA58ksjvTL2bFjbELDG9e3Gqky ycZbN3PXjSQUM4VS5A7T+BbeqBcE386l1DbA+k079fIAH0V1o6kN3ZV04RNnEbQ20gHyFkum3 KSs6uWEAYiZsSCZulW8XZmblsXqyDAylzKk+WDi/018IarRT1eq8gWQfBjPj8uaRlFXh268Lg O2VvXDMQyvTfMmorqiB19zYPZX2I4gWSt3UAxcYGmno9XEIvOqUdk82nJIICZ3ZZj2W+Dd0F4 S82o3bxJ7p8ofyEIN4hyEyixDoUhtrwHJjTyFCpXN3qrLC5Ldczl6aSbwUEudxxhIvn0aSu8E R31CwmwFBnaV7I+KVbpAX+Qa/2hdf20AFPOJKv+l9nSnE2ZJYfQ+9KBT0QvvUmFbFpsoEa5mN O7N00KbORGPDZlhCUecw2r91v3j9+YQU4Aexm9NtEPS3bmB3u5noRy05UhCFwwW65PY7MY2Uq ZOGZeF/MrTr9Qmpkz3hBU6/MQ0AgZKC7Uj/ecMiUwpvZ56vxV9ljObqrdlm6pZgn1Jvvv6MuU mZcT9vqRlcaPiOCIdsG2DYq1M9eOpHdgyPjrdG6fblI3HRX539udOGzMMlRjtu55yUduUY538 fPGT0ACha0XMOiu7F7x8+8aLYzm499ervFxsOLYYP1XouXNDi0Uw8dT/8QI=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-Dg2c7uH4xqJqZI6eF78oo8ceHk>
Subject: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 19:42:29 -0000

Early February I posted a mail to the list to make progress on the
solution to the OAuth Authorization Server Mix-Up problem discovered
late last year.

Here is my mail about the Authorization Server Mix-Up:
http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html

Here is my mail to the list that tries to summarize the discussion
status and asked a few questions:
http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html

Unfortunately, my mail didn't lead to the intended success. While there
was some feedback I wasn't getting the desired response.

In order to move forward I believe we need a working group document that
serves as a starting point for further work in the group*. We have two
documents that provide similar functionality in an attempt to solve the
Authorization Server Mix-Up problem.

So, here is the question for the group. Which document do you want as a
starting point for work on this topic:

-- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John Bradley

Link:
https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01

-- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and
Sascha Preibisch

Link:
https://tools.ietf.org/html/draft-sakimura-oauth-meta-07

Deadline for feedback is March, 4th.

Ciao
Hannes & Derek

PS: (*) Regardless of the selected solution we will provide proper
acknowledgement for those who contributed to the work.