[OAUTH-WG] Status and next steps on Assertions

Brian Campbell <bcampbell@pingidentity.com> Wed, 19 October 2011 21:58 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8D42F21F8B30 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 14:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NVfwClBdCXSd for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 14:58:55 -0700 (PDT)
Received: from na3sys009aog125.obsmtp.com (na3sys009aog125.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id BEE9E21F8B2A for <oauth@ietf.org>; Wed, 19 Oct 2011 14:58:54 -0700 (PDT)
Received: from mail-yx0-f176.google.com ([]) (using TLSv1) by na3sys009aob125.postini.com ([]) with SMTP; Wed, 19 Oct 2011 14:58:54 PDT
Received: by mail-yx0-f176.google.com with SMTP id 30so2581727yxk.7 for <oauth@ietf.org>; Wed, 19 Oct 2011 14:58:53 -0700 (PDT)
Received: by with SMTP id t9mr1910678yam.5.1319061533118; Wed, 19 Oct 2011 14:58:53 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 19 Oct 2011 14:58:23 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 19 Oct 2011 15:58:23 -0600
Message-ID: <CA+k3eCRzvhfy1ip8Ct=u524jWxs4D9PbuVNN+M_6_aL8mQ6kZw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Barry Leiba <barryleiba@computer.org>
Subject: [OAUTH-WG] Status and next steps on Assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2011 21:58:55 -0000

A few of us had a chance to meet face to face this morning at IIW 13
in Mountain View and talked a bit about the assertions document. I
wanted to try and (very quickly) summarize that and also talk about
the some next steps for these documents. This is partly a summary and
partly a reminder of things to be done.

The "OAuth 2.0 Assertion Profile"

Hannes and Barry expressed concern about some of the wording (and
possibly the SAML one as well?) saying that it could potentially be
misleading or confusing regarding the actual security properties
implied or provided by the profile. Hannes was going to take a crack
at proposing some new text.

This draft is due for an update and there have been some comments on
it over the last few months. I found
http://www.ietf.org/mail-archive/web/oauth/current/msg07186.html which
are some general comments from Yaron and
http://www.ietf.org/mail-archive/web/oauth/current/msg07173.html which
is from me about the need to do parameter registration in this doc.

I thought there were some additional comments but I can't seem to find
them. Personally, given the treatment of client_id in
draft-ietf-oauth-v2-22, I think that this draft needs to rework its
handling of client_id. It should probably just be omitted completely
from section 4.2. "Using Assertions as Authorization Grants" and made
optional or even forbidden in section 4.1. "Using Assertions for
Client Authentication"

"An IETF URN Sub-Namespace for OAuth"

I think this short document is ready to go on to whatever is next.

"SAML 2.0 Bearer Assertion Profiles for OAuth 2.0"

I believe this document is also ready to go. Although it depends on
the previous two documents so they should probably progress together
as a group.
The only comment I'm aware of on it came from a cross posting at the
OASIS SSTC and while I acknowledge what was said, I don't believe it
can be addressed. I can provide more detail, if anyone is interested.

Hannes said he thought there might be some editorial issues with it or
perhaps it contained incorrect URI(s). He wasn't sure if he was
working against the latest draft, however, so is planning on double
checking and providing comments if appropriate.

"JSON Web Token (JWT) Bearer Profile for OAuth 2.0"

Mike is going to update this draft to be an instance of
draft-ietf-oauth-assertions-00 similar to what
draft-ietf-oauth-saml2-bearer-08 does.