Re: [OAUTH-WG] [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec

William Denniss <wdenniss@google.com> Mon, 16 March 2020 19:53 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C9B3A0FEA for <oauth@ietfa.amsl.com>; Mon, 16 Mar 2020 12:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbulBNDW7MWm for <oauth@ietfa.amsl.com>; Mon, 16 Mar 2020 12:53:18 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 583983A0FE7 for <oauth@ietf.org>; Mon, 16 Mar 2020 12:53:18 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id d63so19185009oig.6 for <oauth@ietf.org>; Mon, 16 Mar 2020 12:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iH6AAmcoqt8i8AidWzjBks+B4Xt/AaxxEHlFdMrbZ/g=; b=v3qLAQo7QhpFkZ6p6rp0L8eAccQNicyox82SflgXM//fL5EgdtztOkA1b3QUBorQvC Ue3v+EjecsZRV66dqbvIZPiosb6kYNloNSSieBw/Z7Wtk/u7JA8VEIThTCn9VnMiQBCI sATz5c3cCDhH8JQpxiNt/qWD0Q1PG8J7yvxATb3inO/KXxMur8iv9Xwdeji4j3Q7OKna eILNa77IrkqrPqAlPXMi+rUaBOPnwNwRZwR6BECwDQKm7TKdikwRHcZ/5vmdrlcZn9Zz E8cYWWj0PutZTAcH68ReyaYpd8a4JzQ67tG4Z4NBEZV6eTvdNgbwSRvF/riQkCrdHFgA pgjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iH6AAmcoqt8i8AidWzjBks+B4Xt/AaxxEHlFdMrbZ/g=; b=mOlErIVirgQLate+oKaSLgNVzKDEFdS4BSLJsYJFZha7Z7k4dXbpjeLjJMGYa+7JG2 wQ4+abgFN+Jk3NnLnY91YiX8plXOEheVwWAaxbvepp1QxHjcJij+SPrmtwyZRmxjaYSL ti11Yd+CsLMtUqCXQjFqZJiUlgk+H9WjVLd3cYM4k3374nnA6oOiAztsm+tOl6pawIAx 6wC7JohrELvSukdluHL8cSw6BYd10DHPoFQT4L2FH4YsWTktVi466KLM/0hY0UJmASCf mc0faAnBEzHFBdLOjTHIkfKjmfJvwTemaqVTBL+urVI+g90CQdVLToBFeO49wcW9sane 1qLw==
X-Gm-Message-State: ANhLgQ2iCL4FI2j0lLRFp4qyqlgSfB+RwxoyNaAnFXpm+Rpc0wMLgzoN c6HbAtMOiVsyMOK6815qxBMxjlHdpzPZhCFghWhFGIm2QNiKRg==
X-Google-Smtp-Source: ADFU+vvs0ReRxVWLpMoQmvWErVd6h2vwKt1c1pJBlmGmU26XRBnpzZnHIsY3MYlhQ0k6Y+PY9lTBezDjlNASKDKhBxA=
X-Received: by 2002:aca:a882:: with SMTP id r124mr902870oie.53.1584388396976; Mon, 16 Mar 2020 12:53:16 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR00MB06845FEB6201E73E87CA30B9F5F90@DM6PR00MB0684.namprd00.prod.outlook.com><CAD9ie-uZEjcnAF+N7ni6XMznaUWJxkFE7BTi+o2FLiQqhHA-Mg@mail.gmail.com> <DM6PR00MB0684F27F5A069BA3D9B1AD68F5F90@DM6PR00MB0684.namprd00.prod.outlook.com> <CA+k3eCR_NnTm5HO8+ALiCN=eQnxp69dVmLsPK_F4DCmeV9iLEQ@mail.gmail.com>
In-Reply-To: <CA+k3eCR_NnTm5HO8+ALiCN=eQnxp69dVmLsPK_F4DCmeV9iLEQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 16 Mar 2020 12:53:05 -0700
Message-ID: <CAAP42hD_nAfcKSv+LdPirrzkS4hf8QnqZKe0pj4-Z_iKy17Y6Q@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000097193305a0fe2b4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AVzHOG2NWQfp_VvVl3M5q6yA7jY>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 19:53:21 -0000

> This specification replaces and obsoletes these OAuth 2.0
specifications:  RFC 6749 and RFC 8252.  It does so by removing portions of
them that are no longer considered best security practices; the portions
that remain are compatible with the corresponding portions of the specs
being replaced.  By design, it does not introduce any new features to what
already exists in the OAuth 2.0 specifications being replaced.

Does this text "It does so by removing portions of them that are no longer
considered best security practices" relate to 8252 or just 6749? If both,
then what is the portion of 8252 no longer considered best practice?

On Mon, Mar 16, 2020 at 12:44 PM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> +1
>
> Without going into any of the specific wording, I do very much agree with
> the sentiment and direction here.
>
> On Mon, Mar 16, 2020 at 1:41 PM Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
>> Perfect – thanks for listening.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Dick Hardt <dick.hardt@gmail.com>
>> *Sent:* Monday, March 16, 2020 12:32 PM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* aaron@parecki.com; torsten@lodderstedt.net; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec
>>
>>
>>
>> Thanks for the suggested text Mike. A little wordy for me, but I agree
>> with the intention to minimize market place confusion. I'll discuss how to
>> incorporate with my co-authors.
>>
>> ᐧ
>>
>>
>>
>> On Mon, Mar 16, 2020 at 11:35 AM Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> Thanks for the clarifications, Dick.  Here’s my resulting proposed
>> changes.  Part of my goal here is for people to understand the goals and
>> non-goals from reading the abstract.
>>
>>
>>
>> In the Abstract, change:
>>
>> This specification replaces and obsoletes the OAuth 2.0 Authorization
>> Framework described in RFC 6749 <https://tools.ietf.org/html/rfc6749>.
>>
>> to:
>>
>> This specification replaces and obsoletes these OAuth 2.0
>> specifications:  RFC 6749 and RFC 8252.  It does so by removing portions of
>> them that are no longer considered best security practices; the portions
>> that remain are compatible with the corresponding portions of the specs
>> being replaced.  By design, it does not introduce any new features to what
>> already exists in the OAuth 2.0 specifications being replaced.
>>
>>
>>
>> (If you want to list other non-RFCs that you believe that will be
>> obsoleted, you can do that too.)
>>
>>
>>
>> Add this text to the cited paragraph in Section 2.1:
>>
>> When this specification does not replace existing specifications produced
>> by the OAuth working group or other non-OAuth-working-group profiles of
>> OAuth that extend OAuth 2.0 via the IANA “OAuth Parameters” registry
>> [IANA.OAuth.Parameters], it is intended that those specifications will
>> continue to be used with OAuth 2.1 in the same manner that they are with
>> the OAuth 2.0 specifications being replaced.
>>
>>
>>
>> The reference for [IANA.OAuth.Parameters] is
>> https://www.iana.org/assignments/oauth-parameters/.
>>
>>
>>
>> The last sentence – saying that stuff not explicitly obsoleted isn’t
>> being changed – is critical to reducing the marketplace anxiety that this
>> effort might otherwise create.  Please make it a goal to remove uncertainty
>> and sources of speculation wherever possible.
>>
>>
>>
>> Thanks again for the useful discussion.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Dick Hardt <dick.hardt@gmail.com>
>> *Sent:* Monday, March 16, 2020 8:36 AM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* aaron@parecki.com; torsten@lodderstedt.net; oauth@ietf.org
>> *Subject:* Re: Clarifying the scope of the OAuth 2.1 spec
>>
>>
>>
>> Hi Mike
>>
>>
>>
>> I'm aligned on the overall messaging. Sorry I was not clear on my
>> feedback -- it was directed at your suggested text, specifically the terms
>> "OAuth 2.0" and "OAuth 2.0 set of protocols"
>>
>>
>>
>> FYI: the "new" features, are not new to "OAuth 2.0" per se as they are
>> existing specifications -- my point was that they are not features that are
>> in RFC 6749. OAuth 2.1 is also NOT a superset of all 22 specifications.
>>
>>
>>
>> This paragraph in the 2.1 doc attempts to describe what OAuth 2.1 is and
>> is not:
>>
>>
>>
>> Since the publication of the OAuth 2.0 Authorization Framework ([RFC6749
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#RFC6749>])
>> in October 2012, it has been updated by OAuth 2.0 for Native Apps ([
>> RFC8252
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#RFC8252>]),
>> OAuth Security Best Current Practice ([I-D.ietf-oauth-security-topics
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#I-D.ietf-oauth-security-topics>]),
>> and OAuth 2.0 for Browser-Based Apps ([I-D.ietf-oauth-browser-based-apps
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#I-D.ietf-oauth-browser-based-apps>]).
>> The OAuth 2.0 Authorization Framework: Bearer Token Usage ([RFC6750
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#RFC6750>])
>> has also been updated with ([I-D.ietf-oauth-security-topics
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#I-D.ietf-oauth-security-topics>]).
>> This Standards Track specification consolidates the information in all of
>> these documents and removes features that have been found to be insecure
>> in [I-D.ietf-oauth-security-topics
>> <https://tools.ietf.org/id/draft-parecki-oauth-v2-1-00.html#I-D.ietf-oauth-security-topics>
>> ].
>>
>>
>>
>> What changes would you suggest to this?
>>
>>
>>
>> ᐧ
>>
>>
>>
>> On Sun, Mar 15, 2020 at 9:01 PM Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> I’m glad you like the direction of my comments.  Sometimes saying what
>> you’re **not** doing is as important as saying what you **are** doing,
>> and I think this is such a case.
>>
>>
>>
>> As an example of why this matters, a developer recently asked me “Would
>> we have to use a different set of endpoints for OAuth 2.1?”  We should
>> clearly scope this work so that the answer is “No, you would use the same
>> endpoints.”
>>
>>
>>
>> Given that the abstract talks about obsoleting OAuth 2.0, I believe it’s
>> important for the abstract to say what’s being obsoleted, what’s not being
>> obsoleted, and what the relationship of the new spec is to the one(s) it’s
>> obsoleting.  As used in the vernacular by developers, I believe “OAuth 2.0”
>> commonly refers to the set of OAuth 2.0 RFCs approved by this working
>> group, which are the set of (currently 22) RFCs listed at
>> https://datatracker.ietf.org/wg/oauth/documents/ - as well as at least
>> some of the non-RFC specifications that extend OAuth 2.0 via the OAuth
>> registries at
>> https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml,
>> particularly [OAuth 2.0 Multiple Response Type Encoding Practices
>> <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>].
>> I’m pretty sure you intend that OAuth 2.1 keep using much of that widely
>> deployed work and not replace it.  You should be clear about that.
>>
>>
>>
>> Since you say that there are new features in OAuth 2.1, what are they and
>> are they essential to the OAuth 2.1 goals?  Or if they’re not essential,
>> could they more profitably be factored into another specification so that
>> the new features can be used either with OAuth 2.0 and OAuth 2.1?  That
>> might make the resulting messaging to developers much clearer.
>>
>>
>>
>>                                                        Thanks,
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Dick Hardt <dick.hardt@gmail.com>
>> *Sent:* Sunday, March 15, 2020 6:50 PM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* aaron@parecki.com; torsten@lodderstedt.net; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec
>>
>>
>>
>> Hi Mike
>>
>>
>>
>> I like where you are going with this, but what do we mean when we say
>> OAuth 2.0? Is it RFC 6749? What is the OAuth 2.0 set of protocols?
>>
>>
>>
>> OAuth 2.1 includes features that are not in RFC 6749, so it is not a
>> subset of that specification.
>>
>> ᐧ
>>
>>
>>
>> On Sun, Mar 15, 2020 at 2:34 PM Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> The abstract of draft-parecki-oauth-v2-1 concludes with this text:
>>
>>    This specification replaces and obsoletes the OAuth 2.0 Authorization
>> Framework described in RFC 6749 <https://tools.ietf.org/html/rfc6749>.
>>
>>
>>
>> While accurate, I don’t believe that this text captures the full intent
>> of the OAuth 2.1 effort – specifically, to be a recommended subset of OAuth
>> 2.0, rather than to introduce incompatible changes to it.  Therefore, I
>> request that these sentences be added to the abstract, to eliminate
>> confusion in the marketplace that might otherwise arise:
>>
>>
>>
>>     OAuth 2.1 is a compatible subset of OAuth 2.0, removing features that
>> are not currently considered to be best practices.  By design, it does not
>> introduce any new features to what already exists in the OAuth 2.0 set of
>> protocols.
>>
>>
>>
>>                                                        Thanks,
>>
>>                                                        -- Mike
>>
>>
>>
>> P.S.  I assert that any incompatible changes should be proposed as part
>> of the TxAuth effort and not as part of OAuth 2.1.
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>