Re: [OAUTH-WG] A Proposal for Dynamic Registration
George Fletcher <gffletch@aol.com> Wed, 07 August 2013 14:26 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03FE621F9FF2 for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 07:26:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pURYPA-DuFYp for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 07:26:21 -0700 (PDT)
Received: from omr-d08.mx.aol.com (omr-d08.mx.aol.com [205.188.109.207]) by ietfa.amsl.com (Postfix) with ESMTP id 72BBD21E8130 for <oauth@ietf.org>; Wed, 7 Aug 2013 07:26:05 -0700 (PDT)
Received: from mtaout-da05.r1000.mx.aol.com (mtaout-da05.r1000.mx.aol.com [172.29.51.133]) by omr-d08.mx.aol.com (Outbound Mail Relay) with ESMTP id 1CEFD700443CB; Wed, 7 Aug 2013 10:26:04 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da05.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id C79D0E0000B3; Wed, 7 Aug 2013 10:26:03 -0400 (EDT)
Message-ID: <520258FB.8040305@aol.com>
Date: Wed, 07 Aug 2013 10:26:03 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Content-Type: multipart/alternative; boundary="------------000703080707080204090400"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/92756
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1375885564; bh=QB5C+w/uU3df1BvNiVmFbcPgfqULr4Ji3alkk6DwWiA=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=fSUMAvAwYSewzjLXCO3x6euHBU7+thYkGN71Snzvijsa1M3GU9PoAQhVtFlwDb+lO 1Shmqz1mPbQAQ33/LSRUubsdPC2lsz6XxQb/BeR4PhBccjtG87wpl9vvoKRLuqx187 kzWp5aZA74dvojVyUoQTjBr8M1U9w1e+1Dla66LU=
x-aol-sid: 3039ac1d3385520258fb0d27
X-AOL-IP: 10.181.176.30
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:26:26 -0000
+1 On 8/6/13 5:18 PM, Justin Richer wrote: > At last week's IETF meeting, there was quite a lot of talk about the > Dynamic Registration draft as well as a few other related drafts in > this space. I would like to propose to the group what I think would be > a positive working structure among the different approaches that would > let us move everything forward. The source documents in discussion > here are the WG's Dynamic Registration (draft 14) and Phil Hunt's > individual submission of a SCIM-based alternative with some software > assertion components to it. I suggest we refactor these into three > documents: > > - OAuth Dynamic Registration > - SCIM-based OAuth Dynamic Registration > - Software Statements for OAuth Dynamic Registration > > I think that they all have their place in the world, and this is how I > see them fitting together: > > > OAuth Dynamic Registration > > What it is: Essentially the draft we have today, draft 14. This draft > defines a standalone RESTful API for dealing with client > registrations, it allows for open registration as well as protected > registration, and perhaps most importantly we know that it works > because people have implemented it as part of several different APIs. > This could have an informational pointer to the SCIM draft and the > Software Statements draft. We could call this one "core" or "basic" or > some other modifier, but I don't think that's necessary because it > already does what it says on the tin. > > What it needs to concentrate on: This needs to be a "base" document > with extension hooks in key places (such as the client metadata, which > is already extensible, and places that have been made extensible like > the token_endpoint_auth_method, and perhaps others). It needs to get > its job done, allowing for full specification of the simple case in an > interoperable way (anonymous registration of self-asserted client > metadata to receive a client identifier and manage the registration) > and be extensible and flexible enough for the more complex cases. > > What we should do: I think that we should continue shepherding this > document through WGLC in the OAuth WG because there are no specific > open issues in the spec (that I, the editor, am aware of) and I've > seen what I would personally consider to be rough consensus on it (not > unanimous, but that's not necessary anyway). > > > > SCIM-based OAuth Dynamic Registration: > > What it is: Most of Phil's draft, this defines a SCIM profile for > managing OAuth clients dynamically. This will accomplish the same > kinds of things that the OAuth Dynamic Registration Draft will > accomplish, but in a SCIM-like manner. This will have a normative > dependency on SCIM (of some version), and probably an informational > dependency on OAuth Dynamic Registration. This could have an > informational pointer to the Software Statements draft. This draft is > very useful if you're already deploying a SCIM based system, and if > you're investing in SCIM then it's going to be a smaller step to > support this than it would be the base draft. However, I strongly > believe that SCIM is a really big jump for implementing basic > functionality that this is trying to accomplish. > > What it needs to concentrate on: Tracking with the overall SCIM > specification (on which it depends) and tracking with the data model > and general usage of the OAuth Dynamic Registration protocol (wherever > it makes sense to do so). > > What we should do: I think that this draft should be picked up and > worked on as an IETF document, but I think that it probably makes more > sense for that work to be done inside of the SCIM working group. The > reasons for this are twofold: First, this draft really should look and > feel like SCIM, and to do that it really needs the attention of the > group that's defining SCIM. Second, SCIM isn't completed and likely > won't be for some time to come, and this draft needs to track with > that protocol as it moves through the IETF process. > > > > Software Statements for OAuth Dynamic Registration > > What it is: Section 4 of Phil's draft (plus a few other bits, > discussed here), this defines a method for presenting signed and/or > verifiable claims to the registration server's endpoint. This is most > useful when an authorization server can verify the claims being > presented, such as being able to discover the signing key from the > "iss" claim and validate the signature. This could also be used (with > some additional specification) by a discovery-based system that could > fix ahead of time some of the claims for a given piece of software > (like we've done with BlueButton+). In some circumstances, this > assertion could even contain all relevant bits of the registration, > leaving the rest of the metadata fields blank. This is essentially the > "use the assertion as the registration" flow that Phil discussed at > the meeting, from what I understand. In all of these cases, it can > give us a higher assurance for the registration and means to tie > together multiple instances of a piece of software across a network. > > What it needs to concentrate on: Making the software statements > interoperable. I don't think this is going to be an easy task, and I > think it's going to be a long process to get it *right* for all players. > > What we should do: I think that this draft should be picked up by the > OAuth Working Group as a WG document, and it should be built as an > extension to both the OAuth Dynamic Registration and SCIM-based OAuth > Dynamic Registration documents. I think it's important, but it's added > functionality on top of either the RESTful or the SCIM-based > registration documents, and as such it should have a normative > reference to both of them with detailed profiles of how to use them. > > > > > > > So in all, we've got three main documents, each with different > purposes and concentrations, and with different timelines. I don't see > any problem with these coexisting, and I think doing things this way > can cover all of our known use cases and let us actually progress > these documents and move forward. > > -- Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration George Fletcher
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Josh Mandel
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Phil Hunt
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Richer, Justin P.
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Leif Johansson
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Prateek Mishra
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Phil Hunt
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Sergey Beryozkin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Anthony Nadalin
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Justin Richer
- Re: [OAUTH-WG] A Proposal for Dynamic Registration Sergey Beryozkin