Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

William Denniss <wdenniss@google.com> Wed, 20 January 2016 06:39 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD7F1A7022 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 22:39:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOcW0Ec46pf8 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 22:39:19 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 880F71A7021 for <oauth@ietf.org>; Tue, 19 Jan 2016 22:39:19 -0800 (PST)
Received: by mail-ob0-x236.google.com with SMTP id ba1so619183138obb.3 for <oauth@ietf.org>; Tue, 19 Jan 2016 22:39:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ZNSUulAzETlcykFUbm4WlQSGv7mRCs+Fr7c/VGQPsZ0=; b=eJnfOc2yDf1lvCDe8Ttuc0FWNQSnPk34x0OGqjkxOjoh20XOmHlnVNlKjel7GPM7Hc RD/xxkQvv7Z5YMPBlFg8/UqH6UcwKi+Kh7d8VtNbmoTw5MTf2VMWXcbl3Pa+U8uD8FO6 /djWiMldQZZsfjqsADWxW+MdeHP/exf8FtBvoUX8uO/jsFOSsZeXdqxZE96d/krSS4bF ufvKYktpN/il5/XRBOxMQLGrQpriyo7onLbvwneMjrQ6x1MQGRHRbpDPDmR2RJJn1rX0 RJ2masmbHu5MZKukZc9ySmRMUjfB1hZ8cV+EtiohGwwGiyQWeWh/C5SrSNvDOGYn88sJ FhOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ZNSUulAzETlcykFUbm4WlQSGv7mRCs+Fr7c/VGQPsZ0=; b=RRNoqz4MtPEH6wV8CRlOEJpq7MOzb1FIhRkHHYiE8mECSY/P1+YQqKGARVV4JoKk4u Mhh2cjWL8oHC8pJZnopjvbsCAgW8XBL+QV+yCdtPk07FiaLXWQharUnRuWb3XOgyjqyk gfhYUrHPz+83G37VdtkgeW08ew0pLQZ8Y8bK1kuuUjkdlVoqDFRJutA/9VByuSd5o+m8 DHXH72KZ5ROawsfp5KUQgcxOgGgCAdvofM/jL50YzDtSWfzVP+XMS3w/IdaNw53Q+kAW 6eGcedQna+LxZ6z569UprYt2BJUC9Ct5hr7tqidBJqpGsU+dqZ16zOa2785N4IGhrvX4 J8+g==
X-Gm-Message-State: ALoCoQnQZ+kWq692IlCtu46ka87e7xdRUerCS1eKaGlknCyiUQRi5Hwlyo/oOGZa7UF6vCctW75E40RyNAA0sNQPuM0NuY6q4jT9Dht1uAo79ZgFfzGbMEg=
X-Received: by 10.182.114.167 with SMTP id jh7mr26377088obb.70.1453271958780; Tue, 19 Jan 2016 22:39:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Tue, 19 Jan 2016 22:38:59 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BB6958F55@WSMSG3153V.srv.dir.telstra.com>
References: <569E2276.5070407@gmx.net> <255B9BB34FB7D647A506DC292726F6E13BB6958F55@WSMSG3153V.srv.dir.telstra.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 20 Jan 2016 14:38:59 +0800
Message-ID: <CAAP42hCf8yGTd6eHa3k2aC91+yk5V43MeaWi9-UjqtCvptdpxw@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary=001a11c2e2e6ddbf7f0529be3e47
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NbLRN4FuxBsQ3Ttj6wH4mds9muk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 06:39:21 -0000

On Wed, Jan 20, 2016 at 12:37 PM, Manger, James <
James.H.Manger@team.telstra.com> wrote:

> Accepting draft-jones-oauth-amr-values-03 is almost okay as a starting
> point for work.
>

+1 for adoption.


> I would like to see significant changes though:
>
> * The "amr_values" parameter should be dropped; it just encourages brittle
> designs as section 4 "relationship to acr" and section 6 "security
> considerations" already warn about. There is no need to enable that
> brittleness. If someone really wants this functionality they could put an
> amr value in the "acr_values" field as a hack.
>

I agree that it seems to encourage brittle designs. Why would the OP want
to use "otp" when it has U2F on file for the same user, for example? But
come to think of it, is any use of "amr" non-brittle?  I guess the broader
ones like "user", "rba", "mca" and "mfa" are a little more future-proof.

I'm very keen to hear some concrete use-cases for this parameter.

* The model for amr_values is wrong as well. For example,
> "amr":["pwd","otp"] could be a common response that you want, but you
> cannot ask for that with amr_values since amr_values="pwd otp" actually
> means just "pwd", or just "otp" is okay (and just "pwd" is your preference).
>
> * Registering values on a "Specification Required" basis is over-the-top.
> This doc registers 8 amr values with just a few words as each value's
> "specification" (eg "eye": retina scan biometric). Each of the other 7 amr
> values are "specified" in a few lines with a reference (or two). A "First
> Come First Served" basis is probably sufficient, with the "specification"
> just the description in the registry (that can include references).
>

I agree, "Specification Required" does seem like a high bar.


> --
> James Manger
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Tuesday, 19 January 2016 10:48 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Call for Adoption: Authentication Method Reference
> Values
>
> Hi all,
>
> this is the call for adoption of Authentication Method Reference Values,
> see
> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03
>
> Please let us know by Feb 2nd whether you accept / object to the adoption
> of this document as a starting point for work in the OAuth working group.
>
> Note: The feedback during the Yokohama meeting was inconclusive, namely
> 9 for / zero against / 6 persons need more information.
>
> You feedback will therefore be important to find out whether we should do
> this work in the OAuth working group.
>
> Ciao
> Hannes & Derek
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>