Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Mon, 03 December 2012 17:30 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8573F21F887C for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2012 09:30:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.148
X-Spam-Level:
X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-B3XRcnijbw for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2012 09:30:57 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 8978E21F8863 for <oauth@ietf.org>; Mon, 3 Dec 2012 09:30:57 -0800 (PST)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id qB3HUu0G018733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Mon, 3 Dec 2012 11:30:56 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id qB3HUuvS030015 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Mon, 3 Dec 2012 11:30:56 -0600
Received: from [135.222.232.243] (USMUYN0L055118.mh.lucent.com [135.222.232.243]) by umail.lucent.com (8.13.8/TPES) with ESMTP id qB3HUtu2004320; Mon, 3 Dec 2012 11:30:55 -0600 (CST)
Message-ID: <50BCE1CF.2000202@alcatel-lucent.com>
Date: Mon, 03 Dec 2012 12:30:55 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <OF0E5B7A6A.09F3282A-ON48257AC9.0030D225-48257AC9.0030DFA4@zte.com.cn> <1462369564742567140@unknownmsgid>
In-Reply-To: <1462369564742567140@unknownmsgid>
Content-Type: multipart/alternative; boundary="------------090300010107060206020906"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Subject: Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2012 17:30:58 -0000

Actually, I think it is a good time to start looking at the resourse
owner issuing assertions@ (Interestingly enough, Hui-Lan had brought
this up a couple of years ago.)

Igor

On 12/3/2012 3:58 AM, Nat Sakimura wrote:
> I suppose, yes. I was reading it like that all the time.
> Whether it is or not, if it is still ok, it might be better to clarify
> it.
> Word like "third party" tends to be a bit of problem without clearly
> defining.
> I had similar experience in other fora.
>
> Nat
>
> Sent from iPad
>
> 2012/12/03 0:52¡¢"zhou.sujing@zte.com.cn
> <mailto:zhou.sujing@zte.com.cn>" <zhou.sujing@zte.com.cn
> <mailto:zhou.sujing@zte.com.cn>> ¤Î¥á¥Ã¥»©`¥¸:
>
>>
>> could be Resource owner?
>>
>>
>> *"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com
>> <mailto:hannes.tschofenig@nsn.com>>*
>> ·¢¼þÈË: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>
>>
>> 2012-12-03 16:49
>>
>> 	
>> ÊÕ¼þÈË
>> 	"ext Nat Sakimura" <sakimura@gmail.com <mailto:sakimura@gmail.com>>,
>> "Brian Campbell" <bcampbell@pingidentity.com
>> <mailto:bcampbell@pingidentity.com>>, "oauth" <oauth@ietf.org
>> <mailto:oauth@ietf.org>>
>> ³­ËÍ
>> 	
>> Ö÷Ìâ
>> 	Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be
>> either the client or a third party token service?
>>
>>
>>
>> 	
>>
>>
>>
>>
>>
>> Hi Nat,
>>
>> The current text essentially says that the assertion can either be
>> created by the client (in which case it is self-signed) or it can be
>> created by some other entity (which is then called the third party
>> token service). So, this third party could be the authorization server.
>>
>> Ciao
>> Hannes
>>
>>
>> *From:* oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>
>> [mailto:oauth-bounces@ietf.org] *On Behalf Of *ext Nat Sakimura*
>> Sent:* Monday, December 03, 2012 10:35 AM*
>> To:* Brian Campbell; oauth*
>> Subject:* [OAUTH-WG] Assertion Framework - Why does issuer have to be
>> either the client or a third party token service?
>>
>> Hi Brian,
>>
>>
>> The assertion framework defines the Issuer as:
>>
>> Issuer The unique identifier for the entity that issued the
>> assertion. Generally this is the entity that holds the key
>> material used to generate the assertion. The issuer may be either
>> an OAuth client (when assertions are self-issued) or a third party
>> token service.
>>
>> I was wondering why it has to be either the client or a third party
>> token service.
>> Conceptually, it could be any token service (functionality) residing
>> in any of
>>
>> the stakeholders (Resource Owner, OAuth Client, Authorization Server, or
>> a third party).
>>
>>
>> I would appreciate if you could clarify why is the case.
>>
>>
>> Best,
>>
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation_
>> __http://nat.sakimura.org/_
>> @_nat_en
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth