Re: [OAUTH-WG] Assertion Draft: Text about Interoperability -- Today

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 18 January 2013 17:47 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76BDE21F8788 for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 09:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.67
X-Spam-Level:
X-Spam-Status: No, score=-102.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBCAhhFdqrkf for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 09:47:21 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id B40D921F8783 for <oauth@ietf.org>; Fri, 18 Jan 2013 09:47:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id F0B64BE76; Fri, 18 Jan 2013 17:46:55 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F6Oovpew+zn; Fri, 18 Jan 2013 17:46:54 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:18e6:2b4c:99cd:ace9] (unknown [IPv6:2001:770:10:203:18e6:2b4c:99cd:ace9]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 01DDCBE57; Fri, 18 Jan 2013 17:46:53 +0000 (GMT)
Message-ID: <50F98A8E.7090701@cs.tcd.ie>
Date: Fri, 18 Jan 2013 17:46:54 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <999913AB42CC9341B05A99BBF358718D02513229@FIESEXC035.nsn-intra.net>
In-Reply-To: <999913AB42CC9341B05A99BBF358718D02513229@FIESEXC035.nsn-intra.net>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Assertion Draft: Text about Interoperability -- Today
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2013 17:47:22 -0000

Hiya,

So I'll take the lack of further discussion about this an meaning
that the wg want this to shoot ahead. I'll put this in as an RFC
editor note for the draft.

Cheers,
S.

On 01/18/2013 12:04 PM, Tschofenig, Hannes (NSN - FI/Espoo) wrote:
> Hi all, 
> 
> As you have seen on the list (see
> http://www.ietf.org/mail-archive/web/oauth/current/msg10526.html) I had
> a chat with Mike about how to address my comment for the assertion draft
> and Mike kindly provided his text proposal (see
> http://www.ietf.org/mail-archive/web/oauth/current/msg10529.html). I
> have used his text as input and extended it a bit. Here is the updated
> text. 
> 
> ----
> 
> Operational Considerations and Interoperability Expectations
> 
> This specification defines a framework for using assertions with OAuth
> 2.0. However, as an abstract framework on its own, this specification is
> not sufficient to produce interoperable implementations. Two other
> specifications that instantiate this framework have been developed, one
> uses SAML 2.0-based assertions and is described in
> [I-D.ietf-oauth-saml2-bearer] and the second builds on JSON Web Tokens
> (JWTs) and can be found in [I-D.ietf-oauth-jwt-bearer]. These two
> instantiations provide additional details about the assertion encoding
> and processing rules for those interested to implement and deploy
> assertions with OAuth 2.0. 
> 
> However, even with these instance documents an interoperable
> implementation is not possible since for a specific deployment
> environment (within a trust framework or circle of trust, as it is
> sometimes called) agreements about acceptable values for various fields
> in the specification have to be agreed upon. For example, the audience
> field needs to be populated by the entity that generates the assertion
> with a specific value and that value may hold identifiers of different
> types (for example, a URL, an IP address, an FQDN) and the entity
> receiving and verifying the assertion must compare the value in the
> audience field with other information it may obtain from the request
> and/or with locally available information. Since the abstract framework
> nor the instance documents provide sufficient information about the
> syntax, the semantic and the comparison operation of the audience field
> additional profiling in further specifications is needed for an
> interoperable implementation. This additional profiling is not only
> needed for the audience field but also for other fields as well. 
> 
> This framework was designed with the expectation that additional
> specifications will fill this gap for deployment-specific environments.
> 
> ----
> 
> You have the choice:
> 
> 1. take this as-is if you want the assertion draft
> (draft-ietf-oauth-assertions ) on the Jan 24 IESG telechat. There is no
> normative text in the writeup; it is rather a clarification.
> 
> 2. discuss it if need be, and draft-ietf-oauth-assertions will be on the
> Feb 7
>    telechat (if the discussion is done by Feb 1)
> 
> 1 or 2 needs to be chosen today.
> 
> 
> Ciao
> Hannes
> 
> PS: FYI - draft-ietf-oauth-saml2-bearer and draft-ietf-oauth-jwt-bearer
> are not yet on the telechat agenda. 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
>