Re: [OAUTH-WG] JWT Token on-behalf of Use case

Justin Richer <jricher@mit.edu> Tue, 07 July 2015 19:51 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7A9D1A8902 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 12:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQC03I90lgTL for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 12:51:36 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FCB1A8907 for <oauth@ietf.org>; Tue, 7 Jul 2015 12:51:36 -0700 (PDT)
X-AuditID: 1209190e-f79c76d000002631-a7-559c2dc7e5d3
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 96.64.09777.7CD2C955; Tue, 7 Jul 2015 15:51:35 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t67JpYT0026301; Tue, 7 Jul 2015 15:51:34 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t67JpWTM029391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Jul 2015 15:51:33 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_9E5D4639-F0DE-412F-97AA-F203B0EF191C"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAHbuEH4hZDtr=0fE96bsJDxEzp-ZctJrrpYP4xgEKvGVRJ8Dsw@mail.gmail.com>
Date: Tue, 7 Jul 2015 15:51:32 -0400
Message-Id: <C609D767-6A50-4503-B741-EE19827F3F9A@mit.edu>
References: <6B22D19DBF96664DBF49BC7B326402B42739A904@xmb-aln-x09.cisco.com> <BY2PR03MB442205D40E8F1ECD88082F2F5AE0@BY2PR03MB442.namprd03.prod.outlook.com> <55928DB3.7090300@gmail.com> <5593C270.7000008@gmail.com> <5593DA7D.80401@mit.edu> <5593E5FD.3050403@gmail.com> <CA+k3eCTA+HmwnMBUBzD7FKYWL37BMA7az_2BE+vnqqpO3=2utw@mail.gmail.com> <559A676F.3070008@gmail.com> <CA+k3eCTJsLqn88K4qEYJUzoxwAH4boWGsvJZtZi8guvV6C6zSA@mail.gmail.com> <DEAFAD4A-36F8-47D7-813D-35948CDCEA2C@ve7jtb.com> <BY2PR03MB44276C3D04E3FE5AE238298F5930@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCTRK9ND5c2HbDU=3ctZ3J4u3HMA2QHNZfEpwtfcwiLxfQ@mail.gmail.com> <CY1PR0301MB12437C5CFE06B7837375E5DBA6930@CY1PR0301MB1243.namprd03.prod.outlook.com> <2BB85061-F141-478C-96B1-5086AFDA1F4F@oracle.com> <559B176F.90105@mit.edu> <tsly4irlqsp.fsf@mit.edu> <CAHbuEH4hZDtr=0fE96bsJDxEzp-ZctJrrpYP4xgEKvGVRJ8Dsw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBKsWRmVeSWpSXmKPExsUixCmqrHtcd06owc3vXBZf2x6wWTTszLc4 +fYVmwOzx85Zd9k9liz5yeSxcupp9gDmKC6blNSczLLUIn27BK6M/Zva2AsOm1QcOb+dtYGx QbeLkZNDQsBE4s3u6YwQtpjEhXvr2UBsIYHFTBIPHvl3MXIB2RsYJd4u/cEE4TxgktiytROs ilkgQWLRpXmsIDavgJ7Eo6eP2UFsYQFziS1N+8GmsgmoSkxf08IEYnMKBEp8238VzGYRUJE4 9OYHI8QcH4l15zaxQcyxkvj8+RrUFd/ZJDZ89waxRQQsJNY0fwOKcwBdKivxdavcBEaBWUiu mIXkCoi4tsSyha+ZIWxNif3dy1kwxTUkOr9NZF3AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI 11gvN7NELzWldBMjOAIk+XYwfj2odIhRgINRiYf3hsTsUCHWxLLiytxDjJIcTEqivMJqc0KF +JLyUyozEosz4otKc1KLDzFKcDArifD+VAXK8aYkVlalFuXDpKQ5WJTEeTf94AsREkhPLEnN Tk0tSC2CycpwcChJ8E7QAWoULEpNT61Iy8wpQUgzcXCCDOcBGn4VpIa3uCAxtzgzHSJ/ilFR Spz3IEhCACSRUZoH1wtLUK8YxYFeEeZ9BVLFA0xucN2vgAYzAQ1erjsLZHBJIkJKqoGRP/Fo fIwsq8X9/WrMR1jbRRlWnNff/LSBZ1H/XNMVa1+fvlNg+KjPP2n6obbQt/PkI+5Z/Ow0vKfv yit8LuF+VunPKyvvfWnePeHL81KG1hyZB1fftd6N5VyRWhVj5Kia3/BricPTOTcunMx6dIHz 1NHzi/fP/G+388Y+7wXG11r2BjZl5Ht+VWIpzkg01GIuKk4EAInbilIrAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NSaU8yq6tIYR2ToLxuiliIytHQ8>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 19:51:39 -0000

Kathleen,

I agree that Brian’s approach covers the use case that drove my original draft and effectively subsumes my approach.

My standing contention with the document as it stands is and has always been that it’s lacking a general syntactical approach and it isn’t very OAuth-y. I would love to see a productive conversation on this front.

 — Justin

> On Jul 7, 2015, at 3:43 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> I'm just catching up on this tread, but would appreciate an in-room discussion on this topic that doesn't assume the adopted draft has the agreed upon approach as I am not reading that there is consensus on that approach in this thread at all.
> 
> Could we see presentations on Mike's draft and Brian's?  Justin, do you agree that Brian's draft covers the use case in our draft as was implied in this thread?  
> 
> I'd like to see a discussion guided by the chairs to see if we can find a go-forward plan.  There seems to be differing opinions and maybe a pull towards simpler approaches that extend Oauth.
> 
> Thank you.
> 
> On Tue, Jul 7, 2015 at 3:18 PM, Sam Hartman <hartmans-ietf@mit.edu <mailto:hartmans-ietf@mit.edu>> wrote:
> Speaking as someone who is reasonably familiar with Kerberos and the
> general concepts involved, I find both Microsoft/Kerberos technology
> ((constrained delegation/protocol transition) and the ws-trust text
> horribly confusing and would recommend against all of the above as
> examples of clarity.
> After several years I've finally gotten to a point where I understand
> the Kerberos terms, but that's simply by using them regularly, not
> because there was clarity.
> 
> 
> This may be a case where new terminology is worthwhile if you can find
> something that multiple people (especially new readers not overly
> familiar with the concepts) find to be clear.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> -- 
> 
> Best regards,
> Kathleen