Re: [OAUTH-WG] OAuth Digest, Vol 70, Issue 1

Maik Mahn <EasyOnline@gmx.de> Sun, 03 August 2014 09:52 UTC

Return-Path: <sooolooo.mm@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5661A02A2 for <oauth@ietfa.amsl.com>; Sun, 3 Aug 2014 02:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.123
X-Spam-Level: *
X-Spam-Status: No, score=1.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_32=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kaW-6jnRDVJt for <oauth@ietfa.amsl.com>; Sun, 3 Aug 2014 02:52:46 -0700 (PDT)
Received: from mail-qa0-x22f.google.com (mail-qa0-x22f.google.com [IPv6:2607:f8b0:400d:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0F1D1A02A0 for <oauth@ietf.org>; Sun, 3 Aug 2014 02:52:45 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id i13so5739496qae.34 for <oauth@ietf.org>; Sun, 03 Aug 2014 02:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=LFIhwbbfrtBGAvfbaaJXWKPb0UPoaHu9zd7yk7ATXQc=; b=Z3CO/7XqTx0DeXbQk27sDesQRCmcRAhOhg1Fxwt/i7O2hblbrXKwXsGIqtcyBJ7yZ/ lsuaECMdgOizJxhjHAOCDrUoC9KtcWSSjlWVfhVs5bCO37NHf2pSxOeE2TouwpBbHMd2 2MM9c3QEH7m0f4iXZaACrdlYpeejriv2daJfX3FZJTce6TF7a01Cri16BRYpdOyMc49p FDOwMq1XAOeHWJHmCpuXK2BiAJgdYsYw+q+FCrYTCe5YUOLwlnmWQKVMzSl60w0STfC6 ws3FAksZ15DWCiry9Ucsau91yh1xMKeh8984uF2jgGY5t22kb91I7tfoiA5g4hMVn2Vk YwCg==
MIME-Version: 1.0
X-Received: by 10.224.112.1 with SMTP id u1mr25448414qap.7.1407059564801; Sun, 03 Aug 2014 02:52:44 -0700 (PDT)
Sender: sooolooo.mm@gmail.com
Received: by 10.140.48.230 with HTTP; Sun, 3 Aug 2014 02:52:44 -0700 (PDT)
Received: by 10.140.48.230 with HTTP; Sun, 3 Aug 2014 02:52:44 -0700 (PDT)
In-Reply-To: <mailman.4720.1407057134.13632.oauth@ietf.org>
References: <mailman.4720.1407057134.13632.oauth@ietf.org>
Date: Sun, 3 Aug 2014 11:52:44 +0200
X-Google-Sender-Auth: 0D-B-rZLCt_81FjEBHhWGwPeLn8
Message-ID: <CAPDT0_+8v8n+JyVzYZ5jFQKBHtghhdXHLKv2gzikUo1kEf-PpQ@mail.gmail.com>
From: Maik Mahn <EasyOnline@gmx.de>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=047d7b673a4e89b4de04ffb6956f
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0m9QU_99uNiJZNuGRfgYVEBouMo
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 70, Issue 1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2014 09:52:50 -0000

sooolooo.mm@gmail.com
Am 03.08.2014 11:12 schrieb <oauth-request@ietf.org>:

> Send OAuth mailing list submissions to
>         oauth@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.ietf.org/mailman/listinfo/oauth
> or, via email, send a message with subject or body 'help' to
>         oauth-request@ietf.org
>
> You can reach the person managing the list at
>         oauth-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OAuth digest..."
>
>
> Today's Topics:
>
>    1. Bls: OAuth Digest, Vol 69, Issue 134 (Panca Agus Ananda)
>    2. Check out Search for Ebay for BlackBerry (Panca Agus Ananda)
>    3. (no subject) (Panca Agus Ananda)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 3 Aug 2014 09:39:20 +0700
> From: Panca Agus Ananda <panca70@outlook.com>
> To: <oauth@ietf.org>
> Subject: [OAUTH-WG] Bls: OAuth Digest, Vol 69, Issue 134
> Message-ID: <BLU406-EAS25E4F6A9D6D0787FC3DA63A6E50@phx.gbl>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> Dikirim dari ponsel cerdas BlackBerry 10 saya dengan jaringan Telkomsel.
> Dari: oauth-request@ietf.org
> Terkirim: Rabu, 30 Juli 2014 03.42
> Ke: oauth@ietf.org
> Balas Ke: oauth@ietf.org
> Perihal: OAuth Digest, Vol 69, Issue 134
>
>
> Send OAuth mailing list submissions to
>         oauth@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.ietf.org/mailman/listinfo/oauth
> or, via email, send a message with subject or body 'help' to
>         oauth-request@ietf.org
>
> You can reach the person managing the list at
>         oauth-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OAuth digest..."
>
>
> Today's Topics:
>
>    1. Re: Confirmation: Call for Adoption of "OAuth Token
>       Introspection" as an OAuth Working Group Item (Phil Hunt)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 29 Jul 2014 13:41:16 -0700
> From: Phil Hunt <phil.hunt@oracle.com>
> To: Justin Richer <jricher@mitre.org>
> Cc: "oauth@ietf.org" <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>         Token Introspection" as an OAuth Working Group Item
> Message-ID: <620AF4CA-B7F7-487E-A833-3483D2B41B26@oracle.com>
> Content-Type: text/plain; charset="utf-8"
>
> Making everything optional achieves no benefits, you just end up with a
> complex set of options and no inter op.
>
> We had the same issue with dyn reg.
>
> I prefer to first get agreement on use case.
>
> What are the questions a caller can ask and what form of responses are
> available.
>
> Should this be limited to authz info or is this a back door for user data
> and wbfinger data?
>
> I would prefer to have agreement on use cases before picking a solution
> right now.
>
> Phil
>
> > On Jul 29, 2014, at 11:13, Justin Richer <jricher@mitre.org> wrote:
> >
> > Agreed on this point -- which is why the only MTI bit in the individual
> draft is "active", which is whether or not the token was any good to begin
> with. There are a set of claims with defined semantics but all are
> optional, and the list is extensible. I think in practice we'll see people
> settle on a set of common ones.
> >
> >  -- Justin
> >
> >> On 07/29/2014 02:11 PM, Bill Mills wrote:
> >> This is exactly the same problem space as webfinger, you want to know
> something about a user and there's a useful set of information you might
> reasonably query, but in the end the server may have it's own schema of
> data it returns.  There won't be a single schema that fits all use cases,
> Any given RS/AS ecosystem may decide they have custom stuff and omit other
> stuff.  I think the more rigid the MTI schema gets the harder the battle in
> this case.
> >>
> >>
> >> On Tuesday, July 29, 2014 2:56 AM, Paul Madsen <paul.madsen@gmail.com>
> wrote:
> >>
> >>
> >> Standardized Introspection will be valuable in NAPPS, where the AS and
> RS may be in different policy domains.
> >>
> >> Even for single policy domains, there are enterprise scenarios where
> the RS is from a different vendor than the AS, such as when an API gateway
> validates tokens issued by an 'IdP' . We've necessarily defined our own
> introspection endpoint and our gateway partners have implemented it, (at
> the instruction of the customer in question). But of course it's
> proprietary to us.
> >>
> >> Paul
> >>
> >> On Jul 28, 2014, at 8:59 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> >>
> >>> That doesn?t explain the need for inter-operability. What you?ve
> described is what will be common practice.
> >>>
> >>> It?s a great open source technique, but that?s not a standard.
> >>>
> >>> JWT is much different. JWT is a foundational specification that
> describes the construction and parsing of JSON based tokens. There is
> inter-op with token formats that build on top and there is inter-op between
> every communicating party.
> >>>
> >>> In OAuth, a site may never implement token introspection nor may it do
> it the way you describe.  Why would that be a problem?  Why should the
> group spend time on something where there may be no inter-op need.
> >>>
> >>> Now that said, if you are in the UMA community.  Inter-op is quite
> foundational.  It is very very important. But then maybe the spec should be
> defined within UMA?
> >>>
> >>> Phil
> >>>
> >>> @independentid
> >>> www.independentid.com
> >>> phil.hunt@oracle.com
> >>>
> >>>
> >>>
> >>>> On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU>
>                         wrote:
> >>>>
> >>>> It's analogous to JWT in many ways: when you've got the AS and the RS
> separated somehow (different box, different domain, even different software
> vendor) and you need to communicate a set of information about the approval
> delegation from the AS (who has the context to know about it) through to
> the RS (who needs to know about it to make the authorization call). JWT
> gives us an interoperable way to do this by passing values inside the token
> itself, introspection gives a way to pass the values by reference via the
> token as an artifact. The two are complementary, and there are even cases
> where you'd want to deploy them together.
> >>>>
> >>>>  -- Justin
> >>>>
> >>>>> On 7/28/2014 8:11 PM, Phil Hunt wrote:
> >>>>> Could we have some discussion on the interop cases?
> >>>>>
> >>>>> Is it driven by scenarios where AS and resource are separate
> domains? Or may this be only of interest to specific protocols like UMA?
> >>>>>
> >>>>> From a technique principle, the draft is important and sound. I am
> just not there yet on the reasons for an interoperable standard.
> >>>>>
> >>>>> Phil
> >>>>>
> >>>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
> >>>>>
> >>>>>> Yes. This spec is of special interest to the platform we're
> building for http://www.oasis-eu.org/
> >>>>>>
> >>>>>>
> >>>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
> >>>>>> Hi all,
> >>>>>>
> >>>>>> during the IETF #90 OAuth WG meeting, there was strong consensus in
> >>>>>> adopting the "OAuth Token Introspection"
> >>>>>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth
> WG
> >>>>>> work item.
> >>>>>>
> >>>>>> We would now like to verify the outcome of this call for adoption
> on the
> >>>>>> OAuth WG mailing list. Here is the link to the document:
> >>>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
> >>>>>>
> >>>>>> If you did not hum at the IETF 90 OAuth WG meeting,
>                               and have an opinion
> >>>>>> as to the suitability of adopting this document as a WG work item,
> >>>>>> please send mail to the OAuth WG list indicating your opinion
> (Yes/No).
> >>>>>>
> >>>>>> The confirmation call for adoption will last until August 10, 2014.
>  If
> >>>>>> you have issues/edits/comments on the document, please send these
> >>>>>> comments along to the list in your response to this Call for
> Adoption.
> >>>>>>
> >>>>>> Ciao
> >>>>>> Hannes & Derek
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OAuth mailing list
> >>>>>> OAuth@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Thomas Broyer
> >>>>>> /t?.ma.b?wa.je/
> >>>>>> _______________________________________________
> >>>>>> OAuth mailing list
> >>>>>> OAuth@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OAuth mailing list
> >>>>> OAuth@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>>
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.ietf.org/mail-archive/web/oauth/attachments/20140729/a437e374/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ------------------------------
>
> End of OAuth Digest, Vol 69, Issue 134
> **************************************
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/c6ce578f/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sun, 3 Aug 2014 13:33:56 +0700
> From: Panca Agus Ananda <panca70@outlook.com>
> To: oauth-request@ietf.org, oauth@ietf.org
> Subject: [OAUTH-WG] Check out Search for Ebay for BlackBerry
> Message-ID: <BLU406-EAS19B8940435C09725EB3020A6E50@phx.gbl>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL: <
> http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/b9829b72/attachment.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Sun, 3 Aug 2014 16:12:09 +0700
> From: Panca Agus Ananda <panca70@outlook.com>
> To: OAuth@ietf.org
> Subject: [OAUTH-WG] (no subject)
> Message-ID: <BLU406-EAS24761A8E1E8BA3968366F52A6E50@phx.gbl>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL: <
> http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/d01ce031/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ------------------------------
>
> End of OAuth Digest, Vol 70, Issue 1
> ************************************
>