Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

William Denniss <wdenniss@google.com> Thu, 18 February 2016 19:43 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A832E1B2FAF for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:43:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7E02ykv_TXDN for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 192481B2EA5 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
Received: by mail-ob0-x22a.google.com with SMTP id xk3so84771055obc.2 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=F2q+EMSu9VvuQgEWFEhpWygd5MTu74GgY8rwSTN57vY=; b=IXssV/1fj/3OVzBVoE+BKTQyFEsDSC9ueWfH4Tz6M4AtoovdU3zYvCVrJFO6xB1PSs nl8FOMgBPfSwn/nHexRfqq56usENasdfgOOBk/Wme4LeSigps8AtQKKuXl8XTiwLokAj XmOfcQeV6C1RMm4tfHvBxWT+nY7vdIKFPq8zJvIpqk7U9LOrt9K2Ili+Ilp6egai3s79 JtKc4ZkfvK3kdKOTX++EA+Wm6cP21/huJJHA+47qdUIShj/Ht7flPyDTFDTXtK8yXRjC s+EjgbqeCTCnUCEV847dOP+GAGlAs/ccAfFxVymOZA5+lchdghM6EilvXnMg9yJwYx+v FJng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=F2q+EMSu9VvuQgEWFEhpWygd5MTu74GgY8rwSTN57vY=; b=fapIO88txvoai9qqV+l8JTO7DktADKatUKqH2FBMR5Bo+asxfpH9KTfWraFIuW0Bdd yROyCkW+vmQjW2lQK7uMfLzkc7kGnYt0HFnaazI1a22rOn6OTHarPoGpLWPj3arku8pf ITNHlOv0NIUpmGonKRkFPuxAM7Rux/oGAu6czKfo3AhDFs/IhYRQ9kHoBUhA896DCBr8 2CWclRBkKLTivMKAMTrE7IiR/vbLAjeYemAeUwY4UtMHXAdegDPOGCzL4rtQrFC6ZT4H BF9UQM8f0a2Bq/pbt7pZKoJLA4V14w4IOmQQ6L1e1zXDKI0pseoNwjq2+qGFUl29DF93 k6vg==
X-Gm-Message-State: AG10YOT95XblLG/RvNXI3HldODFUhsPmg14Xw8IugZw9HubCDK3Y8y4gsJOody3LUJluFYpxHI2BaGV8Kw8Wv0Ut
X-Received: by 10.202.51.195 with SMTP id z186mr7037044oiz.12.1455824596339; Thu, 18 Feb 2016 11:43:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Thu, 18 Feb 2016 11:42:56 -0800 (PST)
In-Reply-To: <BY2PR03MB442A29EEEFDF8951EF7A8C5F5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB44236EF33376F8C2BB135E8F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <533A97B6-F83D-4DBD-A015-81CD438EAE5F@oracle.com> <6E34B5BC-3E23-4E0F-8008-93797B15EB84@ve7jtb.com> <A52BE40A-DEF2-48D6-9612-5BD035104DDB@oracle.com> <56C5D96D.7000805@gmx.net> <BN3PR0301MB123401DCA44A6D651E859EB1A6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <BY2PR03MB4421A86FA48276934F5F067F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <BN3PR0301MB1234A0179AA5FBB6F9D4C3EFA6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <111B18CA-B61D-46C5-99D0-2BCF4673B0D5@ve7jtb.com> <BY2PR03MB44242429A89971F70FE71FBF5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hBihsz74R6s2wnKJdc=+SvqC8FFzRRd=fg8jEUSwJ2Dtg@mail.gmail.com> <BY2PR03MB442A29EEEFDF8951EF7A8C5F5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 18 Feb 2016 11:42:56 -0800
Message-ID: <CAAP42hD7Hy78ADm+i70XV=hCkWsXw_YvhRtwcE+CiNTpC_Zy8A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=001a113ce568ebb8b1052c1093ea
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IV4TVXKipcaVYZ_TGOXfswVi3Ps>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 19:43:19 -0000

On Thu, Feb 18, 2016 at 11:36 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks, William.  I’m good with referencing the registry in Section 2.
>

Great!


> I’ll think about the registered/public/private comment.
>
>
I'm not suggesting we necessarily have to use the same
registered/public/private structure, only that some discussion of
standardized vs non-standard could be helpful for implementers (e.g. try to
pick something that is collision resistant for proprietary metadata).


> It’s fine to reference oauth-mix-up-mitigation as a draft in a finished
> RFC as long as it’s an informative and not a normative reference.
>

Ah ok, I wasn't aware of that.



> *From:* William Denniss [mailto:wdenniss@google.com]
>
> *Sent:* Thursday, February 18, 2016 11:28 AM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* John Bradley <ve7jtb@ve7jtb.com>om>; Anthony Nadalin <
> tonynad@microsoft.com>gt;; oauth@ietf.org
>
> *Subject:* Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
>
>
>
> Two review comments:
>
>
>
> 1.
>
> Can the text in "Section 2.  Authorization Server Metadata" near the end
> regarding additional metadata be expanded? I think we should reference the
> IANA registry established by this spec in that section (as this will be the
> reference point for people looking for other registered metadata), and
> possibly mention something about registered vs unregistered parameters and
> interoperability. At present if you only read that section it is a little
> vague.
>
>
>
> I like the treatment of claims in the JWT spec https://tools.ietf.org/html/rfc7519#section-4.2, splitting into 3 groups: registered, public and private. Not saying we should mirror it exactly, but as an implementer I liked how clearly it was stated in that spec.
>
>
>
> 2.
>
> Since this doc is in WG Last call, do we need to remove the reference to
> the mix-up I-D (Section 2, "issuer"), or are we expecting them to be
> finalized together?
>
>
>
>
>
> On Thu, Feb 18, 2016 at 10:42 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> I'm fine with changing dynamic registration from being RECOMMENDED to
> OPTIONAL.  That's good actionable feedback.  Likewise, looking at again, we
> also need to change jwks_uri from REQUIRED to OPTIONAL, since not all OAuth
> deployments need keys.
>
> I expect more good, actionable feedback to also come from the WGLC as
> people carefully read the draft with fresh eyes.
>
>                                 -- Mike
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
> Sent: Thursday, February 18, 2016 10:33 AM
> To: Anthony Nadalin <tonynad@microsoft.com>
>
> Cc: Mike Jones <Michael.Jones@microsoft.com>om>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>gt;; Phil Hunt <phil.hunt@oracle.com>om>;
> oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
>
> We are establishing a registry.  Some folks do use dynamic client
> registration.
>
> We can register it in this document or take it out and let others register
> it once the registry is established.
>
> It will be registered one way or the other.
>
> One of the reasons for starting last call is to get people to read the
> draft and comment.
> That seems to be working.
>
> If you have specific security considerations, please let us know so they
> can be addressed.   Text is always appreciated.
>
> John B.
>
> > On Feb 18, 2016, at 1:27 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
> >
> > Not sure about that. There are things that are "recommended" like the
> dynamic registration endpoint, I don't understand why this is recommended
> as a lot of folks still don't do this. There are security considerations
> about all the information that is in the discovery that have not been
> addressed.
> >
> > -----Original Message-----
> > From: Mike Jones
> > Sent: Thursday, February 18, 2016 10:18 AM
> > To: Anthony Nadalin <tonynad@microsoft.com>om>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>gt;; Phil Hunt <phil.hunt@oracle.com>om>; John
> Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > It's the OAuth-specific subset of what's already widely deployed.
> Nothing was invented - just subsetted.
> >
> > I think it's already as simple as possible unless the working group
> decides to remove even more functionality (which it can obviously do).
> >
> >                               -- Mike
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin
> > Sent: Thursday, February 18, 2016 10:13 AM
> > To: Hannes Tschofenig <hannes.tschofenig@gmx.net>et>; Phil Hunt <
> phil.hunt@oracle.com>gt;; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > I also think we are way far from last call (and surprised to see last
> call issued) on this document as it is still very complex for something
> that should be very simple
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes
> Tschofenig
> > Sent: Thursday, February 18, 2016 6:47 AM
> > To: Phil Hunt <phil.hunt@oracle.com>om>; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> >
> >
> > On 02/18/2016 03:06 PM, Phil Hunt wrote:
> >> BTW. I think we are FAR from Last Call on this topic.
> >
> > Thanks for your feedback, Phil. As you have seen I had issued a WGLC
> prior to your message based on the claim from the authors that they believe
> the document is finished.
> >
> > We will, of course, take all reviews into account and see where we are
> with the discovery spec. I, as the shepherd, will also do my review and I
> encourage many working group members to also take a look at the document
> and to provide their input.
> >
> > Ciao
> > Hannes
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>