Re: [OAUTH-WG] A Proposal for Dynamic Registration
Anthony Nadalin <tonynad@microsoft.com> Tue, 06 August 2013 23:20 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8F521F9984 for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 16:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.057
X-Spam-Level:
X-Spam-Status: No, score=-1.057 tagged_above=-999 required=5 tests=[AWL=-0.590, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwJb0YkaX9XS for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 16:20:12 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8F021F9425 for <oauth@ietf.org>; Tue, 6 Aug 2013 16:20:12 -0700 (PDT)
Received: from mail76-ch1-R.bigfish.com (10.43.68.250) by CH1EHSOBE015.bigfish.com (10.43.70.65) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:20:11 +0000
Received: from mail76-ch1 (localhost [127.0.0.1]) by mail76-ch1-R.bigfish.com (Postfix) with ESMTP id 4561C34008E for <oauth@ietf.org>; Tue, 6 Aug 2013 23:20:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -17
X-BigFish: VS-17(zz9371I542I1418Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1de098h1033IL1de096h8275dh15d4I1de097hz2fh2a8h683h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail76-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail76-ch1 (localhost.localdomain [127.0.0.1]) by mail76-ch1 (MessageSwitch) id 1375831208743941_21136; Tue, 6 Aug 2013 23:20:08 +0000 (UTC)
Received: from CH1EHSMHS022.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail76-ch1.bigfish.com (Postfix) with ESMTP id B1B40140047 for <oauth@ietf.org>; Tue, 6 Aug 2013 23:20:08 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS022.bigfish.com (10.43.70.22) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:20:08 +0000
Received: from CO9EHSOBE031.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.3.136.1; Tue, 6 Aug 2013 23:20:07 +0000
Received: from mail56-co9-R.bigfish.com (10.236.132.242) by CO9EHSOBE031.bigfish.com (10.236.130.94) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:19:00 +0000
Received: from mail56-co9 (localhost [127.0.0.1]) by mail56-co9-R.bigfish.com (Postfix) with ESMTP id 8A6E4DC00DF for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 6 Aug 2013 23:19:00 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51444003)(13464003)(55885003)(377454003)(189002)(199002)(16406001)(53806001)(69226001)(74876001)(4396001)(79102001)(561944002)(47736001)(49866001)(81542001)(74316001)(74502001)(81342001)(47446002)(31966008)(74662001)(76482001)(54316002)(56776001)(77096001)(54356001)(80976001)(56816003)(74706001)(80022001)(65816001)(77982001)(59766001)(74366001)(51856001)(47976001)(46102001)(50986001)(63696002)(76576001)(83072001)(19580385001)(19580395003)(33646001)(19580405001)(76786001)(76796001)(83322001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::7d; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail56-co9 (localhost.localdomain [127.0.0.1]) by mail56-co9 (MessageSwitch) id 1375831138402742_4731; Tue, 6 Aug 2013 23:18:58 +0000 (UTC)
Received: from CO9EHSMHS026.bigfish.com (unknown [10.236.132.252]) by mail56-co9.bigfish.com (Postfix) with ESMTP id 5194F500047; Tue, 6 Aug 2013 23:18:58 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS026.bigfish.com (10.236.130.36) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:18:57 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.341.1; Tue, 6 Aug 2013 23:18:56 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 6 Aug 2013 23:18:53 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Tue, 6 Aug 2013 23:18:53 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQ
Date: Tue, 06 Aug 2013 23:18:53 +0000
Message-ID: <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ed43::7d]
x-forefront-prvs: 0930AAFAD9
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 23:20:25 -0000
I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, August 6, 2013 2:18 PM To: oauth@ietf.org Subject: [OAUTH-WG] A Proposal for Dynamic Registration At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents: - OAuth Dynamic Registration - SCIM-based OAuth Dynamic Registration - Software Statements for OAuth Dynamic Registration I think that they all have their place in the world, and this is how I see them fitting together: OAuth Dynamic Registration What it is: Essentially the draft we have today, draft 14. This draft defines a standalone RESTful API for dealing with client registrations, it allows for open registration as well as protected registration, and perhaps most importantly we know that it works because people have implemented it as part of several different APIs. This could have an informational pointer to the SCIM draft and the Software Statements draft. We could call this one "core" or "basic" or some other modifier, but I don't think that's necessary because it already does what it says on the tin. What it needs to concentrate on: This needs to be a "base" document with extension hooks in key places (such as the client metadata, which is already extensible, and places that have been made extensible like the token_endpoint_auth_method, and perhaps others). It needs to get its job done, allowing for full specification of the simple case in an interoperable way (anonymous registration of self-asserted client metadata to receive a client identifier and manage the registration) and be extensible and flexible enough for the more complex cases. What we should do: I think that we should continue shepherding this document through WGLC in the OAuth WG because there are no specific open issues in the spec (that I, the editor, am aware of) and I've seen what I would personally consider to be rough consensus on it (not unanimous, but that's not necessary anyway). SCIM-based OAuth Dynamic Registration: What it is: Most of Phil's draft, this defines a SCIM profile for managing OAuth clients dynamically. This will accomplish the same kinds of things that the OAuth Dynamic Registration Draft will accomplish, but in a SCIM-like manner. This will have a normative dependency on SCIM (of some version), and probably an informational dependency on OAuth Dynamic Registration. This could have an informational pointer to the Software Statements draft. This draft is very useful if you're already deploying a SCIM based system, and if you're investing in SCIM then it's going to be a smaller step to support this than it would be the base draft. However, I strongly believe that SCIM is a really big jump for implementing basic functionality that this is trying to accomplish. What it needs to concentrate on: Tracking with the overall SCIM specification (on which it depends) and tracking with the data model and general usage of the OAuth Dynamic Registration protocol (wherever it makes sense to do so). What we should do: I think that this draft should be picked up and worked on as an IETF document, but I think that it probably makes more sense for that work to be done inside of the SCIM working group. The reasons for this are twofold: First, this draft really should look and feel like SCIM, and to do that it really needs the attention of the group that's defining SCIM. Second, SCIM isn't completed and likely won't be for some time to come, and this draft needs to track with that protocol as it moves through the IETF process. Software Statements for OAuth Dynamic Registration What it is: Section 4 of Phil's draft (plus a few other bits, discussed here), this defines a method for presenting signed and/or verifiable claims to the registration server's endpoint. This is most useful when an authorization server can verify the claims being presented, such as being able to discover the signing key from the "iss" claim and validate the signature. This could also be used (with some additional specification) by a discovery-based system that could fix ahead of time some of the claims for a given piece of software (like we've done with BlueButton+). In some circumstances, this assertion could even contain all relevant bits of the registration, leaving the rest of the metadata fields blank. This is essentially the "use the assertion as the registration" flow that Phil discussed at the meeting, from what I understand. In all of these cases, it can give us a higher assurance for the registration and means to tie together multiple instances of a piece of software across a network. What it needs to concentrate on: Making the software statements interoperable. I don't think this is going to be an easy task, and I think it's going to be a long process to get it *right* for all players. What we should do: I think that this draft should be picked up by the OAuth Working Group as a WG document, and it should be built as an extension to both the OAuth Dynamic Registration and SCIM-based OAuth Dynamic Registration documents. I think it's important, but it's added functionality on top of either the RESTful or the SCIM-based registration documents, and as such it should have a normative reference to both of them with detailed profiles of how to use them. So in all, we've got three main documents, each with different purposes and concentrations, and with different timelines. I don't see any problem with these coexisting, and I think doing things this way can cover all of our known use cases and let us actually progress these documents and move forward. -- Justin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration George Fletcher
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Josh Mandel
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Phil Hunt
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Richer, Justin P.
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Leif Johansson
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Prateek Mishra
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Phil Hunt
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Sergey Beryozkin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Sergey Beryozkin