[OAUTH-WG] Status and next steps on Assertions
Brian Campbell <bcampbell@pingidentity.com> Wed, 19 October 2011 21:58 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D42F21F8B30 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 14:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NVfwClBdCXSd for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 14:58:55 -0700 (PDT)
Received: from na3sys009aog125.obsmtp.com (na3sys009aog125.obsmtp.com [74.125.149.153]) by ietfa.amsl.com (Postfix) with ESMTP id BEE9E21F8B2A for <oauth@ietf.org>; Wed, 19 Oct 2011 14:58:54 -0700 (PDT)
Received: from mail-yx0-f176.google.com ([209.85.213.176]) (using TLSv1) by na3sys009aob125.postini.com ([74.125.148.12]) with SMTP; Wed, 19 Oct 2011 14:58:54 PDT
Received: by mail-yx0-f176.google.com with SMTP id 30so2581727yxk.7 for <oauth@ietf.org>; Wed, 19 Oct 2011 14:58:53 -0700 (PDT)
Received: by 10.147.116.9 with SMTP id t9mr1910678yam.5.1319061533118; Wed, 19 Oct 2011 14:58:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.147.125.6 with HTTP; Wed, 19 Oct 2011 14:58:23 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 19 Oct 2011 15:58:23 -0600
Message-ID: <CA+k3eCRzvhfy1ip8Ct=u524jWxs4D9PbuVNN+M_6_aL8mQ6kZw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Barry Leiba <barryleiba@computer.org>
Subject: [OAUTH-WG] Status and next steps on Assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2011 21:58:55 -0000
A few of us had a chance to meet face to face this morning at IIW 13 in Mountain View and talked a bit about the assertions document. I wanted to try and (very quickly) summarize that and also talk about the some next steps for these documents. This is partly a summary and partly a reminder of things to be done. The "OAuth 2.0 Assertion Profile" http://tools.ietf.org/html/draft-ietf-oauth-assertions-00 Hannes and Barry expressed concern about some of the wording (and possibly the SAML one as well?) saying that it could potentially be misleading or confusing regarding the actual security properties implied or provided by the profile. Hannes was going to take a crack at proposing some new text. This draft is due for an update and there have been some comments on it over the last few months. I found http://www.ietf.org/mail-archive/web/oauth/current/msg07186.html which are some general comments from Yaron and http://www.ietf.org/mail-archive/web/oauth/current/msg07173.html which is from me about the need to do parameter registration in this doc. I thought there were some additional comments but I can't seem to find them. Personally, given the treatment of client_id in draft-ietf-oauth-v2-22, I think that this draft needs to rework its handling of client_id. It should probably just be omitted completely from section 4.2. "Using Assertions as Authorization Grants" and made optional or even forbidden in section 4.1. "Using Assertions for Client Authentication" "An IETF URN Sub-Namespace for OAuth" http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-00 I think this short document is ready to go on to whatever is next. "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0" http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-08 I believe this document is also ready to go. Although it depends on the previous two documents so they should probably progress together as a group. The only comment I'm aware of on it came from a cross posting at the OASIS SSTC and while I acknowledge what was said, I don't believe it can be addressed. I can provide more detail, if anyone is interested. Hannes said he thought there might be some editorial issues with it or perhaps it contained incorrect URI(s). He wasn't sure if he was working against the latest draft, however, so is planning on double checking and providing comments if appropriate. "JSON Web Token (JWT) Bearer Profile for OAuth 2.0" http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00 Mike is going to update this draft to be an instance of draft-ietf-oauth-assertions-00 similar to what draft-ietf-oauth-saml2-bearer-08 does.
- [OAUTH-WG] Status and next steps on Assertions Brian Campbell