Re: [OAUTH-WG] oauth assertions plan
Mike Jones <Michael.Jones@microsoft.com> Mon, 18 February 2013 19:02 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834D921F8929 for <oauth@ietfa.amsl.com>; Mon, 18 Feb 2013 11:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.58
X-Spam-Level:
X-Spam-Status: No, score=-2.58 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZhJz0zzXtHy for <oauth@ietfa.amsl.com>; Mon, 18 Feb 2013 11:02:47 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4F121F88F0 for <oauth@ietf.org>; Mon, 18 Feb 2013 11:02:47 -0800 (PST)
Received: from BL2FFO11FD014.protection.gbl (10.173.161.204) by BL2FFO11HUB022.protection.gbl (10.173.161.46) with Microsoft SMTP Server (TLS) id 15.0.620.12; Mon, 18 Feb 2013 19:02:40 +0000
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD014.mail.protection.outlook.com (10.173.160.222) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Mon, 18 Feb 2013 19:02:40 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.96]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0318.003; Mon, 18 Feb 2013 19:02:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>
Thread-Topic: [OAUTH-WG] oauth assertions plan
Thread-Index: AQHODUSFJYuGTyHp/UK+QNplisn2A5h+fdTAgAASPICAAAGIAIAAiDaAgADB2bCAABe6gIAAAWoQ
Date: Mon, 18 Feb 2013 19:02:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436747063A@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <51212E78.1050206@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739436746DC1C@TK5EX14MBXC284.redmond.corp.microsoft.com> <51214AC5.3090807@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739436746DE40@TK5EX14MBXC284.redmond.corp.microsoft.com> <CALaySJ+YM9_DJ5KB1AnF+D-_1=jMhCdsxrgB3jQaaCLsB7w1Kg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436747042A@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAC4RtVAKUAQosF=tJQLB6FExUriY-WhBv+R_0uX6aP1gegR=QQ@mail.gmail.com>
In-Reply-To: <CAC4RtVAKUAQosF=tJQLB6FExUriY-WhBv+R_0uX6aP1gegR=QQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436747063ATK5EX14MBXC284r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(199002)(189002)(51444002)(76482001)(16236675001)(65816001)(63696002)(47976001)(50986001)(77982001)(59766001)(16297215001)(56816002)(20776003)(15202345001)(4396001)(74502001)(47446002)(16406001)(46102001)(44976002)(49866001)(80022001)(47736001)(74662001)(56776001)(54316002)(51856001)(53806001)(31966008)(54356001)(33656001)(512954001)(15395725002)(79102001)(66066001)(5343645001)(5343635001)(55846006)(5343655001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB022; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0761DE1EDD
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] oauth assertions plan
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 19:02:50 -0000
"Dynamically declaring," in what sense? Where are those mechanisms documented? Many of them are documented in draft-ietf-oauth-dyn-reg. One profile (an outer doll :)) that enables fully interoperable implementations is documented in draft-hardjono-oauth-umacore. It uses the "http://docs.kantarainitiative.org/uma/scopes/prot.json" scope value as its "tagged field" value. Another related profile that enables fully interoperable implementations is documented in http://openid.net/specs/openid-connect-messages-1_0.html. It uses the "openid" scope value as its "tagged field" value, per http://openid.net/specs/openid-connect-messages-1_0.html#scopes. I know that Dick Hardt has another profile that's using the JWT Assertion Profile for a BC Government identity project. I know of ones used inside of enterprises and at cloud services as well. -- Mike From: barryleiba.mailing.lists@gmail.com [mailto:barryleiba.mailing.lists@gmail.com] On Behalf Of Barry Leiba Sent: Monday, February 18, 2013 10:37 AM To: Mike Jones Cc: Barry Leiba; oauth-chairs@tools.ietf.org; oauth@ietf.org Subject: Re: [OAUTH-WG] oauth assertions plan I'll get to John's message later, after I digest it more. I can reply to this one now. please explain how you and I can each write applications to that? You can write applications to that by having the profile chain end, and with the contents of the Audience field being completely specified somewhere in the profile chain being used. In order for that to work, we have to know ("we" being both sides of the protocol, and also "we" being different implementors of similar applications) what profile to use. I am proposing that there must be a way for someone writing an application to know what to use in these fields that will work with your application (or will work with a server in the same way as your application does, or whatever) *without* having to go to the documentation of your application to figure it out. I agree with what I think you mean, but possibly not with how you're saying it. Using the TCP analogy again, in fact, to understand the contents of the TCP stream for port 25, one has to go to the documentation of the application communicating on port 25. In this case, that documentation is RFC 821 and its successors. Yeh, here's where we're disconnected. One does NOT have to go to the documentation of the application at all. One has to go to the specification of SMTP. But one needn't know *anything* about any other implementations of SMTP: everything you need is in the SMTP spec (including that it runs on port 25). If there were a similar thing here, I'd be happy. But if there's a similar thing here, I don't see it. I'll also observe that the working group is also working on a specification that enables an OAuth client to dynamically register itself with the Authorization Server (draft-ietf-oauth-dyn-reg) and that that registration does declare information about what profile is being used, as John Bradley pointed out in his response. That's a key piece of the whole solution to enable interoperable implementations. It sounds like it is a key piece, and in that case I think that document needs to come forward along with (or before) the ones that depend on it for interoperability. Absent something like that, we can't evaluate whether it's possible to write interoperable implementations of this spec. We already do have mechanisms for dynamically declaring what profile is being used, and we are using them. "Dynamically declaring," in what sense? Where are those mechanisms documented? I agree with Stephen that we should let this conversation run for a while to make sure everyone comes to a common understanding, but ultimately, I hope that you'll withdraw your DISCUSS, because, in fact, interoperable implementations can be written by reading the specs used alone. I still don't see that that's true (how did those interoperable implementations resolve the incompletely specified bits?), but, in any case, don't obsess over the DISCUSS ballot, because it no longer matters: Stephen has returned the document to the working group, and when it comes back to IESG Evaluation again I'm sure Stephen will issue a new ballot and we'll start the process from a clean slate. Barry
- [OAUTH-WG] oauth assertions plan Stephen Farrell
- Re: [OAUTH-WG] oauth assertions plan Mike Jones
- Re: [OAUTH-WG] oauth assertions plan Stephen Farrell
- Re: [OAUTH-WG] oauth assertions plan Mike Jones
- Re: [OAUTH-WG] oauth assertions plan Stephen Farrell
- Re: [OAUTH-WG] oauth assertions plan John Bradley
- Re: [OAUTH-WG] oauth assertions plan Barry Leiba
- Re: [OAUTH-WG] oauth assertions plan Stephen Farrell
- Re: [OAUTH-WG] oauth assertions plan John Bradley
- Re: [OAUTH-WG] oauth assertions plan Mike Jones
- Re: [OAUTH-WG] oauth assertions plan Barry Leiba
- Re: [OAUTH-WG] oauth assertions plan Mike Jones
- Re: [OAUTH-WG] oauth assertions plan Barry Leiba
- Re: [OAUTH-WG] oauth assertions plan Barry Leiba
- Re: [OAUTH-WG] oauth assertions plan Brian Campbell
- Re: [OAUTH-WG] oauth assertions plan John Bradley
- [OAUTH-WG] Mandatory to implement (was: oauth ass… SM
- Re: [OAUTH-WG] Mandatory to implement (was: oauth… John Bradley
- Re: [OAUTH-WG] Mandatory to implement Stephen Farrell
- Re: [OAUTH-WG] Mandatory to implement Barry Leiba
- Re: [OAUTH-WG] Mandatory to implement Mike Jones
- Re: [OAUTH-WG] Mandatory to implement John Bradley