Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
William Denniss <wdenniss@google.com> Thu, 18 February 2016 19:43 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A832E1B2FAF for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:43:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7E02ykv_TXDN for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 192481B2EA5 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
Received: by mail-ob0-x22a.google.com with SMTP id xk3so84771055obc.2 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:43:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=F2q+EMSu9VvuQgEWFEhpWygd5MTu74GgY8rwSTN57vY=; b=IXssV/1fj/3OVzBVoE+BKTQyFEsDSC9ueWfH4Tz6M4AtoovdU3zYvCVrJFO6xB1PSs nl8FOMgBPfSwn/nHexRfqq56usENasdfgOOBk/Wme4LeSigps8AtQKKuXl8XTiwLokAj XmOfcQeV6C1RMm4tfHvBxWT+nY7vdIKFPq8zJvIpqk7U9LOrt9K2Ili+Ilp6egai3s79 JtKc4ZkfvK3kdKOTX++EA+Wm6cP21/huJJHA+47qdUIShj/Ht7flPyDTFDTXtK8yXRjC s+EjgbqeCTCnUCEV847dOP+GAGlAs/ccAfFxVymOZA5+lchdghM6EilvXnMg9yJwYx+v FJng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=F2q+EMSu9VvuQgEWFEhpWygd5MTu74GgY8rwSTN57vY=; b=fapIO88txvoai9qqV+l8JTO7DktADKatUKqH2FBMR5Bo+asxfpH9KTfWraFIuW0Bdd yROyCkW+vmQjW2lQK7uMfLzkc7kGnYt0HFnaazI1a22rOn6OTHarPoGpLWPj3arku8pf ITNHlOv0NIUpmGonKRkFPuxAM7Rux/oGAu6czKfo3AhDFs/IhYRQ9kHoBUhA896DCBr8 2CWclRBkKLTivMKAMTrE7IiR/vbLAjeYemAeUwY4UtMHXAdegDPOGCzL4rtQrFC6ZT4H BF9UQM8f0a2Bq/pbt7pZKoJLA4V14w4IOmQQ6L1e1zXDKI0pseoNwjq2+qGFUl29DF93 k6vg==
X-Gm-Message-State: AG10YOT95XblLG/RvNXI3HldODFUhsPmg14Xw8IugZw9HubCDK3Y8y4gsJOody3LUJluFYpxHI2BaGV8Kw8Wv0Ut
X-Received: by 10.202.51.195 with SMTP id z186mr7037044oiz.12.1455824596339; Thu, 18 Feb 2016 11:43:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Thu, 18 Feb 2016 11:42:56 -0800 (PST)
In-Reply-To: <BY2PR03MB442A29EEEFDF8951EF7A8C5F5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB44236EF33376F8C2BB135E8F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <533A97B6-F83D-4DBD-A015-81CD438EAE5F@oracle.com> <6E34B5BC-3E23-4E0F-8008-93797B15EB84@ve7jtb.com> <A52BE40A-DEF2-48D6-9612-5BD035104DDB@oracle.com> <56C5D96D.7000805@gmx.net> <BN3PR0301MB123401DCA44A6D651E859EB1A6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <BY2PR03MB4421A86FA48276934F5F067F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <BN3PR0301MB1234A0179AA5FBB6F9D4C3EFA6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <111B18CA-B61D-46C5-99D0-2BCF4673B0D5@ve7jtb.com> <BY2PR03MB44242429A89971F70FE71FBF5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hBihsz74R6s2wnKJdc=+SvqC8FFzRRd=fg8jEUSwJ2Dtg@mail.gmail.com> <BY2PR03MB442A29EEEFDF8951EF7A8C5F5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 18 Feb 2016 11:42:56 -0800
Message-ID: <CAAP42hD7Hy78ADm+i70XV=hCkWsXw_YvhRtwcE+CiNTpC_Zy8A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113ce568ebb8b1052c1093ea"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IV4TVXKipcaVYZ_TGOXfswVi3Ps>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 19:43:19 -0000
On Thu, Feb 18, 2016 at 11:36 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Thanks, William. I’m good with referencing the registry in Section 2. > Great! > I’ll think about the registered/public/private comment. > > I'm not suggesting we necessarily have to use the same registered/public/private structure, only that some discussion of standardized vs non-standard could be helpful for implementers (e.g. try to pick something that is collision resistant for proprietary metadata). > It’s fine to reference oauth-mix-up-mitigation as a draft in a finished > RFC as long as it’s an informative and not a normative reference. > Ah ok, I wasn't aware of that. > *From:* William Denniss [mailto:wdenniss@google.com] > > *Sent:* Thursday, February 18, 2016 11:28 AM > *To:* Mike Jones <Michael.Jones@microsoft.com> > *Cc:* John Bradley <ve7jtb@ve7jtb.com>; Anthony Nadalin < > tonynad@microsoft.com>; oauth@ietf.org > > *Subject:* Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence > > > > Two review comments: > > > > 1. > > Can the text in "Section 2. Authorization Server Metadata" near the end > regarding additional metadata be expanded? I think we should reference the > IANA registry established by this spec in that section (as this will be the > reference point for people looking for other registered metadata), and > possibly mention something about registered vs unregistered parameters and > interoperability. At present if you only read that section it is a little > vague. > > > > I like the treatment of claims in the JWT spec https://tools.ietf.org/html/rfc7519#section-4.2, splitting into 3 groups: registered, public and private. Not saying we should mirror it exactly, but as an implementer I liked how clearly it was stated in that spec. > > > > 2. > > Since this doc is in WG Last call, do we need to remove the reference to > the mix-up I-D (Section 2, "issuer"), or are we expecting them to be > finalized together? > > > > > > On Thu, Feb 18, 2016 at 10:42 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > I'm fine with changing dynamic registration from being RECOMMENDED to > OPTIONAL. That's good actionable feedback. Likewise, looking at again, we > also need to change jwks_uri from REQUIRED to OPTIONAL, since not all OAuth > deployments need keys. > > I expect more good, actionable feedback to also come from the WGLC as > people carefully read the draft with fresh eyes. > > -- Mike > > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Thursday, February 18, 2016 10:33 AM > To: Anthony Nadalin <tonynad@microsoft.com> > > Cc: Mike Jones <Michael.Jones@microsoft.com>; Hannes Tschofenig < > hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>; > oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence > > We are establishing a registry. Some folks do use dynamic client > registration. > > We can register it in this document or take it out and let others register > it once the registry is established. > > It will be registered one way or the other. > > One of the reasons for starting last call is to get people to read the > draft and comment. > That seems to be working. > > If you have specific security considerations, please let us know so they > can be addressed. Text is always appreciated. > > John B. > > > On Feb 18, 2016, at 1:27 PM, Anthony Nadalin <tonynad@microsoft.com> > wrote: > > > > Not sure about that. There are things that are "recommended" like the > dynamic registration endpoint, I don't understand why this is recommended > as a lot of folks still don't do this. There are security considerations > about all the information that is in the discovery that have not been > addressed. > > > > -----Original Message----- > > From: Mike Jones > > Sent: Thursday, February 18, 2016 10:18 AM > > To: Anthony Nadalin <tonynad@microsoft.com>; Hannes Tschofenig < > hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>; John > Bradley <ve7jtb@ve7jtb.com> > > Cc: oauth@ietf.org > > Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence > > > > It's the OAuth-specific subset of what's already widely deployed. > Nothing was invented - just subsetted. > > > > I think it's already as simple as possible unless the working group > decides to remove even more functionality (which it can obviously do). > > > > -- Mike > > > > -----Original Message----- > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin > > Sent: Thursday, February 18, 2016 10:13 AM > > To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Phil Hunt < > phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com> > > Cc: oauth@ietf.org > > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence > > > > I also think we are way far from last call (and surprised to see last > call issued) on this document as it is still very complex for something > that should be very simple > > > > -----Original Message----- > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes > Tschofenig > > Sent: Thursday, February 18, 2016 6:47 AM > > To: Phil Hunt <phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com> > > Cc: oauth@ietf.org > > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence > > > > > > > > On 02/18/2016 03:06 PM, Phil Hunt wrote: > >> BTW. I think we are FAR from Last Call on this topic. > > > > Thanks for your feedback, Phil. As you have seen I had issued a WGLC > prior to your message based on the claim from the authors that they believe > the document is finished. > > > > We will, of course, take all reviews into account and see where we are > with the discovery spec. I, as the shepherd, will also do my review and I > encourage many working group members to also take a look at the document > and to provide their input. > > > > Ciao > > Hannes > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] OAuth Discovery spec pared down to its… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… John Bradley
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… John Bradley
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… John Bradley
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… John Bradley
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… John Bradley
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… William Denniss
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… William Denniss
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery spec pared down to… Phil Hunt