Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Mike Jones <Michael.Jones@microsoft.com> Thu, 09 March 2017 05:53 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 441EF129400; Wed, 8 Mar 2017 21:53:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpFnXb06FGz7; Wed, 8 Mar 2017 21:53:19 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0135.outbound.protection.outlook.com [104.47.41.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B2F3127ABE; Wed, 8 Mar 2017 21:53:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ai6rrUS6AGeHx8XCSkAFXvUIJrdDChn7U0iQqHz3zK4=; b=Tl9o3xxILlrP3E4OWt++tvj7om+IjeOl4U+UIcR7cW19HrxxNhlgL9hH/IVzJjy3U7oBhT2uCi2xQgJaRFhEQajNnSNcjuSBW/8IR20djhsmjGwQIqWVZlC3azcc6cC38HOia+9mDJmiSg4FNQ7RvZHdZbxuo/i8LAGTRVHIpgM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Thu, 9 Mar 2017 05:53:16 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Thu, 9 Mar 2017 05:53:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97H5hXZpqeBE0CT6lHMY4yQFKFUP6sAgAABIQCAAB5D0IAAXXiAgAAdOACAAABqIIAAA2uAgAAA3wCAAAAzAIAAAO4AgAAAVZCAAAOFgIAqgOKggAkWs0CAABoJgIAAAbuQgAAGWICAATemAIAAD7wAgAJUoqA=
Date: Thu, 09 Mar 2017 05:53:15 +0000
Message-ID: <CY4PR21MB0504A295ED2CDA35A1377239F5210@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie> <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie> <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com> <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
In-Reply-To: <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-office365-filtering-correlation-id: 288d236c-1c1e-4542-48f5-08d466b094b9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:zUZRyhzdLiPrg3g/jDPXLBpIcDYqK0Dc81iaDXdG8XVgGrrGgPNCexdyLps5pNmyQxmHZ9zs6LGdTHLP4OEIeJbD6xh0ie/qLRsJrCc3sr5z+iecyvndaILuUhiJ4kxLMUSwSoDMHTIHHUbGL9jBYlXhcntlCRiCCB0tI5pRXHmNxIA5dNTOj7/lkjS6dBMhrYcZKb+rTl6DtuC5OMb34PW4Rq85Hns61GJ6CbrNP1xT9CcVebRZ7P64/KN96hmr4XJDArXkWRHpf32OSYfU2b4WS5NqAKTx+bk/xq+89A3BW0uNqBW1Tos70T/MAZ88SZI/Pk+MAfrhyJZR4c4G9hP0OLt13kIWqMX2kDFTa90=
x-microsoft-antispam-prvs: <CY4PR21MB05042D0995A19F5A5B335417F5210@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39840400002)(39450400003)(39860400002)(39850400002)(377454003)(40224003)(13464003)(24454002)(43784003)(51914003)(99286003)(8676002)(1720100001)(3660700001)(305945005)(3280700002)(229853002)(2900100001)(54356999)(106116001)(10090500001)(966004)(77096006)(2906002)(189998001)(8936002)(7736002)(74316002)(5005710100001)(551544002)(2561002)(33656002)(10290500002)(81166006)(86612001)(230783001)(6246003)(50986999)(102836003)(93886004)(122556002)(6306002)(3846002)(53546006)(53946003)(53936002)(25786008)(4326008)(9686003)(5660300001)(6436002)(54906002)(66066001)(55016002)(7696004)(6506006)(38730400002)(86362001)(2950100002)(6116002)(1511001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2017 05:53:15.9508 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NoWNwjGwPUvmaZHO8_dt-Sz0s90>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 05:53:22 -0000
Hi Stephen, I've added text to the introduction explaining that the values are intended to provide identifiers for families of closely-related authentication methods, based on our discussion of this topic. See the diffs at https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-amr-values-07. Hopefully this clarifies things sufficiently to satisfy the intent of your DISCUSS, Stephen. Let me know. I also updated the MODRNA Authentication Profile reference. Thanks again, -- Mike -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, March 7, 2017 10:11 AM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS) On 07/03/17 17:17, Mike Jones wrote: > You're right, Stephen. Re-reading the spec, it doesn't say that, and > it should. Sometimes it takes someone giving a spec a fresh read to > uncover things that the authors understood and intended but failed to > be captured in the text. This is such a case - so thanks. > > I'll add this information, which is necessary to understand the > intent, and then republish. Ah good, that explains the disconnect. Cheers, S. > > -- Mike > > -----Original Message----- From: Stephen Farrell > [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, March 6, 2017 2:39 PM > To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin > <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG > <iesg@ietf.org> Cc: oauth-chairs@ietf.org; > draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re: > [OAUTH-WG] Stephen Farrell's Discuss on > draft-ietf-oauth-amr-values-05: (with DISCUSS) > > > Hi Mike, > > On 06/03/17 22:34, Mike Jones wrote: >> Thanks for the reply, Stephen. I'll try to find better >> interop-producing references where possible. >> >> >> In some cases, however, the values are intentionally intended to >> provide an identifier for a family of closely-related methods, such >> as "otp", which covers both time-based and HMAC-based OTPs. > > Hmm. I don't recall text saying that in the draft, but it's possible > that I missed it - can you point me at that? > > I do agree that if the semantics here were "some otp was used" then it > would not be necessary to specify exactly which OTP scheme was used. > But that wasn't how I read what this spec was doing. (Again, that > could be me getting the wrong end of the stick.) > > S. > > >> Many relying parties will be content to know that an OTP has been >> used in addition to a password. The distinction between which kind >> of OTP was used is not useful to them. Thus, there's a single >> identifier that can be satisfied in two or more nearly equivalent >> ways. I consider this to be a feature - not a bug. >> >> >> >> Similarly, there's a whole range of nuances between different >> fingerprint matching algorithms. They differ in false positive and >> false negative rates over different population samples and also >> differ based on the kind and model of fingerprint sensor used. >> Like the OTP case, many RPs will be content to know that a >> fingerprint match mas made, without delving into and differentiating >> based on every aspect of the implementation of fingerprint capture >> and match. Those that want more precision than this can always define >> new "amr" values. But "fpt" is fine as is for what I believe will be >> the 90+% case. >> >> >> >> Ultimately, the RP is depending upon the Identity Provider to do >> reasonable things. If it didn't trust the IdP to do so, it has no >> business using it. The "amr" value lets the IdP signal to the RP >> additional information about what it did, for the cases in which that >> information is useful to the RP. >> >> >> >> Reducing this to the point of absurdity, the RP would almost never >> care about the make, model, and serial number of the fingerprint >> reader or OTP. Values could be defined to provide that granularity. >> But making those fine-grained distinctions are not useful in >> practice. >> >> >> >> Please consider the existing definitions in light of that reductio ad >> absurdum. The existing values only make distinctions that are known >> to be useful to RPs. Slicing things more finely than would be used >> in practice actually hurts interop, rather than helping it, because >> it would force all RPs to recognize that several or many different >> values actually mean the same thing to them. >> >> >> >> -- Mike >> >> >> >> -----Original Message----- From: Stephen Farrell >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, March 6, 2017 2:10 >> PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin >> <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG >> <iesg@ietf.org> Cc: oauth-chairs@ietf.org; >> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re: >> [OAUTH-WG] Stephen Farrell's Discuss on >> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >> >> >> >> >> Hi Mike, >> >> >> >> Apologies - I updated the discuss ballot text [1] on Feb 28 but >> must've not sent it as an email or something. Anyway... >> >> >> >> [1] >> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/ >> >> >> >> >> On 06/03/17 20:38, Mike Jones wrote: >> >>> Hi Stephen. The changes in draft -06 were intended to address your >> >>> DISCUSS points. Are you satisfied with these changes or are there >> >>> additional changes you want? I'm asking partly because it's a week >> >>> now until the submission cutoff and if additional changes are >>> needed, >> >>> I'd like to make them this week. >> >> >> >> So I do think there's still work to be done, may as well copy the new >> ballot text here: >> >> >> >> " >> >> I think we still have the problem that the values "defined" here >> (e.g. "fpt") are under specified to a significant degree. RFC4949 >> does not tell anyone how to achieve interop with "fpt" (nor any of >> the other cases where you refer to 4949 I think). There is therefore >> no utility in "defining" "fpt" as it will not achieve interop and in >> fact is more likely to cause confusion than interop. >> If the solution of actually defining the meaning of things like "fpt" >> is not achievable then perhaps it will be better to only define those >> for which we can get interop ("pwd" and one or two >> others) and leave the definition of the rest for later. (In saying >> that I do recall that one of the authors said that there are >> implementations that use some of these type-names, but the point of >> RFCs is not to "bless" >> >> such things, but to achieve interop.) >> >> " >> >> >> >> Cheers, >> >> S. >> >> >> >>> >> >>> Thanks, -- Mike >> >>> >> >>> -----Original Message----- From: Mike Jones >> >>> [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, February 28, >>> 2017 >> >>> 6:17 PM To: Stephen Farrell >>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>; >>> Anthony >> >>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; >>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The >> >>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >> >>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-val >>> u >>> >>> es@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE: >> >>> [OAUTH-WG] Stephen Farrell's Discuss on >> >>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>> >> >>> Hi Stephen, >> >>> >> >>> Draft -06 >>> https://tools.ietf.org/html/draft-ietf-oauth-amr-values-06 >> >>> adds references for all of the defined "amr" values. Thanks for >> >>> taking the time to have a thoughtful discussion. >> >>> >> >>> -- Mike >> >>> >> >>> -----Original Message----- From: Stephen Farrell >> >>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, >>> 2017 >> >>> 4:45 PM To: Mike Jones >>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; >>> >>> Anthony Nadalin >> >>> <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel jaeggli >>> <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG >> >>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >> >>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-val >>> u >>> >>> es@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: >> >>> [OAUTH-WG] Stephen Farrell's Discuss on >> >>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>> >> >>> >> >>> >> >>> On 02/02/17 00:35, Mike Jones wrote: >> >>>> You can call me lazy if you want. >> >>> >> >>> I don't think you're lazy:-) Were I to guess I'd guess that interop >> >>> for these wasn't a priority and that we're defining them a bit early >> >>> and a little too generically. >> >>> >> >>>> Some of them are so well known, such as "password" or "PIN" it >>>> didn't >> >>>> seem worthwhile to try to track down a reference. >> >>> >> >>> Sure, those are fine. The only issues would be if there's a >>> string2key >> >>> function somewhere but I don't expect there is in this context. >> >>> >> >>>> But I'm willing to work with others to find decent references for >>>> the >> >>>> rest of them, if you believe that would improve the quality of the >> >>>> specification. >> >>> >> >>> I do think it would, esp for cases where there are known different >> >>> options (e.g. otp) or likely ill-defined or proprietary formats. >>> My >> >>> guess is that some biometrics fit that latter but I could be wrong. >> >>> If they do, then one runs into the problem of having to depend on >> >>> magic numbers in the encodings or similar to distinguish which is >> >>> really error prone and likely to lead to what our learned transport >> >>> chums are calling ossification;-) >> >>> >> >>> Cheers, S. >> >>> >> >>> >> >>>> >> >>>> Best wishes, -- Mike >> >>>> >> >>>> -----Original Message----- From: Stephen Farrell >> >>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, >> >>>> 2017 4:31 PM To: Mike Jones >>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; >>>> >>>> Anthony >> >>>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; >>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The >> >>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >> >>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-va >>>> l >>>> >>>> ues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: >> >>>> [OAUTH-WG] Stephen Farrell's Discuss on >> >>>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>> >> >>>> >> >>>> >> >>>> On 02/02/17 00:28, Mike Jones wrote: >> >>>>> The other case of known interop testing of "amr" values is for >> >>>>> MODRNA (OpenID Connect Mobile Profile) implementations. >>>>> There's a >> >>>>> reference to its use of "amr" values in the spec. >> >>>> >> >>>> Yeah, iirc, that one seemed ok (assuming the reference tells me >>>> what >> >>>> code to write which I assume it does). >> >>>> >> >>>> I'm still not seeing why some do have sufficient references and >> >>>> others do not. >> >>>> >> >>>> Is there some difficulty with finding references or something? >> >>>> >> >>>> S >> >>>> >> >>>>> >> >>>>> -----Original Message----- From: Anthony Nadalin Sent: >>>>> Wednesday, >> >>>>> February 1, 2017 4:27 PM To: Stephen Farrell >> >>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>; >>>>> >>>>> Mike Jones >> >>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; >>>>> >>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The >> >>>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >> >>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-v >>>>> a >>>>> >>>>> lues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE: >> >>>>> [OAUTH-WG] Stephen Farrell's Discuss on >> >>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>>> >> >>>>> We have interoped between FIDO authenticators vendors and Windows >> >>>>> Hello >> >>>>> >> >>>>> -----Original Message----- From: Stephen Farrell >> >>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, >> >>>>> 2017 4:24 PM To: Mike Jones >>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; >>>>> >>>>> Anthony >> >>>>> Nadalin >>>>> <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel >>>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; >> >>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >> >>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-v >>>>> a >>>>> >>>>> lues@ietf.org>; >> >>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] >>>>> Stephen Farrell's Discuss on >> >>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>>> >> >>>>> >> >>>>> >> >>>>> On 02/02/17 00:21, Mike Jones wrote: >> >>>>>> Thanks, Tony. I can add that reference. >> >>>>>> >> >>>>>> Stephen, the sets of initial values were chosen from those used >>>>>> in >> >>>>>> practice by Microsoft and Google in real deployments. >> >>>>> >> >>>>> Genuine questions: do you aim to have interop between those >> >>>>> deployments? What if I wanted to write code that'd interop with >>>>> msft >> >>>>> or google? >> >>>>> >> >>>>> S. >> >>>>> >> >>>>>> >> >>>>>> About "otp", there are existing use cases for indicating that an >> >>>>>> OTP was used. I'm not aware of any of these use cases where the >> >>>>>> distinction between TOTP and HOTP is important. Thus, having >>>>>> "otp" >> >>>>>> now makes sense, where having "hotp" and "totp" >> >>>>>> now doesn't. >> >>>>>> >> >>>>>> Stephen, this may seem like splitting hairs, but the registry >> >>>>>> instructions for "Specification Document(s)" are about having a >> >>>>>> reference for the document where the Authentication Method >> >>>>>> Reference Name (such as "otp") is defined. In all cases for the >> >>>>>> initial values, this is the RFC-to-be, so the registry >>>>>> instructions >> >>>>>> are satisfied. If someone were, for instance, to define the >>>>>> string >> >>>>>> "hotp", it would be incumbent on the person requesting its >> >>>>>> registration to provide a URL to the document where the string >> >>>>>> "hotp" is defined. Also having a reference to RFC 4226 in that >> >>>>>> document would be a good thing, but that isn't what the registry >> >>>>>> instructions are about. >> >>>>>> >> >>>>>> All that said, I can look at also finding appropriate references >> >>>>>> for the remaining values that don't currently have them. >>>>>> (Anyone >> >>>>>> got a good reference for password or PIN to suggest, for >>>>>> instance?) >> >>>>>> >> >>>>>> -- Mike >> >>>>>> >> >>>>>> -----Original Message----- From: Anthony Nadalin Sent: >> >>>>>> Wednesday, February 1, 2017 4:10 PM To: Stephen Farrell >> >>>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>; >>>>>> >>>>>> Mike Jones >> >>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> >>>>>> ; >>>>>> >>>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; >> >>>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >> >>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr- >>>>>> v >>>>>> >>>>>> alues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: >> >>>>>> RE: [OAUTH-WG] Stephen Farrell's Discuss on >> >>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>>>> >> >>>>>> NIST asked for the addition of IRIS (as they are seeing more use >>>>>> of >> >>>>>> IRIS over retina due to the accuracy of iris) as they have been >> >>>>>> doing significant testing on various iris devices and continue to >> >>>>>> do so, here is a report that NIST released >> >>>>>> http://2010-2014.commerce.gov/blog/2012/04/23/nist-iris-recogniti >>>>>> o >>>>>> >>>>>> n >> >>>>>> -report-evaluates-needle-haystack-search-capability.html >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>> >> >>>>>> >> >>> >> >>>>>> >> >> -----Original Message----- From: Stephen Farrell >> >>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, >> >>>>>> 2017 2:26 PM To: Mike Jones >>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> >>>>>> ; >>>>>> >>>>>> joel >> >>>>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG >>>>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >> >>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr- >>>>>> v >>>>>> >>>>>> alues@ietf.org>; >> >>>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: >>>>>> [OAUTH-WG] Stephen Farrell's Discuss on >> >>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>>>> >> >>>>>> >> >>>>>> Hi Mike, >> >>>>>> >> >>>>>> On 01/02/17 17:00, Mike Jones wrote: >> >>>>>>> Thanks for the discussion, Stephen. >> >>>>>>> >> >>>>>>> To your point about "otp", the working group discussed this very >> >>>>>>> point. They explicitly decided not to introduce "hotp" >> >>>>>>> and "totp" identifiers because no one had a use case in which >>>>>>> the >> >>>>>>> distinction mattered. >> >>>>>> >> >>>>>> Then I'm not following why adding "otp" to the registry now is a >> >>>>>> good plan. >> >>>>>> >> >>>>>> If there's a use-case now, then adding an entry with a good >> >>>>>> reference to the relevant spec seems right. >> >>>>>> >> >>>>>> If there's no use-case now, then not adding it to the registry >> >>>>>> seems right. (Mentioning it as a possible future entry would be >> >>>>>> fine.) >> >>>>>> >> >>>>>> I think the same logic would apply for all the values that this >> >>>>>> spec adds to the registry. Why is that wrong? >> >>>>>> >> >>>>>>> Others can certainly introduce those identifiers and register >> >>>>>>> them if they do have such a use case, once the registry has been >> >>>>>>> established. But the working group wanted to be conservative >> >>>>>>> about the identifiers introduced to prime the registry, and this >> >>>>>>> is such a case. >> >>>>>>> >> >>>>>>> What identifiers to use and register will always be a balancing >> >>>>>>> act. You want to be as specific as necessary to add practical >>>>>>> and >> >>>>>>> usable value, but not so specific as to make things >>>>>>> unnecessarily >> >>>>>>> brittle. >> >>>>>> >> >>>>>> Eh... don't we want interop? Isn't that the primary goal here? >> >>>>>> >> >>>>>>> While some might say there's a difference between serial number >> >>>>>>> ranges of particular authentication devices, going there is >> >>>>>>> clearly in the weeds. On the other hand, while there used to be >> >>>>>>> an "eye" identifier, Elaine Newton of NIST pointed out that >>>>>>> there >> >>>>>>> are significant differences between retina and iris matching, so >> >>>>>>> "eye" was replaced with "retina" >> >>>>>>> and "iris". Common sense informed by actual data is the key >>>>>>> here. >> >>>>>> >> >>>>>> That's another good example. There's no reference for "iris." >> >>>>>> If that is used in some protocol, then what format(s) are >>>>>> expected >> >>>>>> to be supported? Where do I find that spec? If we can answer >>>>>> that, >> >>>>>> then great, let's add the details. If not, then I'd suggest we >>>>>> omit >> >>>>>> "iris" and leave it 'till later to add an entry for that. >>>>>> And >> >>>>>> again, including text with "iris" as an example is just fine, all >> >>>>>> I'm asking is that we only add the registry entry if we can meet >> >>>>>> the same bar that we're asking the DE to impose on later >>>>>> additions. >> >>>>>> >> >>>>>> And the same for all the others... >> >>>>>> >> >>>>>> Cheers, S. >> >>>>>> >> >>>>>> >> >>>>>>> >> >>>>>>> The point of the registry requiring a specification reference is >> >>>>>>> so people using the registry can tell where the identifier is >> >>>>>>> defined. For all the initial values, that requirement is >> >>>>>>> satisfied, since the reference will be to the new RFC. >>>>>>> I think >> >>>>>>> that aligns with the point that Joel was making. >> >>>>>>> >> >>>>>>> Your thoughts? >> >>>>>>> >> >>>>>>> -- Mike >> >>>>>>> >> >>>>>>> -----Original Message----- From: OAuth >> >>>>>>> [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell >> >>>>>>> Sent: Wednesday, February 1, 2017 7:03 AM To: joel jaeggli >> >>>>>>> <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG >>>>>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: >> >>>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; >>>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr >>>>>>> -values@ietf.org>; >> >>>>>>> >>>>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: >>>>>>> [OAUTH-WG] Stephen Farrell's Discuss >> >>>>>>> on draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> On 01/02/17 14:58, joel jaeggli wrote: >> >>>>>>>> On 1/31/17 8:26 AM, Stephen Farrell wrote: >> >>>>>>>>> Stephen Farrell has entered the following ballot position for >> >>>>>>>>> draft-ietf-oauth-amr-values-05: Discuss >> >>>>>>>>> >> >>>>>>>>> When responding, please keep the subject line intact and >>>>>>>>> reply >> >>>>>>>>> to all email addresses included in the To and CC lines. (Feel >> >>>>>>>>> free to cut this introductory paragraph, >> >>>>>>>>> however.) >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> Please refer to >> >>>>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html >> >>>>>>>>> >>>>>>>>> >> >>>>>>>>> >> >> >>>>>>>>> for more information about IESG DISCUSS and COMMENT >> >>>>>>>>> positions. >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> The document, along with other ballot positions, can be found >> >>>>>>>>> here: >> >>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ >> >>>>>>>>> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>> >> >>>>>>>>> >> >>> >> >>>>>>>>> >> >> >>>>>>>>> --------------------------------------------------------------------- >> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>> >> >>>>>>>>> >> >>>>> - >> >>>>>>>>> DISCUSS: >> >>>>>>>>> -------------------------------------------------------------- >>>>>>>>> -- >> >>>>>>>>> >>>>>>>>> ----- >> >>>>>>>>> >> >>>>>>>>> >> >>>>>> >> >>>>>>>>> >> >>>>> >> >>>>>>>>> >> >>>> >> >>>>>>>>> >> >>> >> >>>>>>>>> >> >> - >> >>>>>>>>> >> >>>>>>>>> This specification seems to me to break it's own rules. >> >>>>>>>>> You state that registrations should include a reference to a >> >>>>>>>>> specification to improve interop. And yet, for the strings >>>>>>>>> added >> >>>>>>>>> here (e.g. otp) you don't do that (referring to section 2 will >> >>>>>>>>> not improve interop) and there are different ways in which >>>>>>>>> many >> >>>>>>>>> of the methods in section 2 can be done. So I think you need >>>>>>>>> to >> >>>>>>>>> add a bunch more references. >> >>>>>>>> >> >>>>>>>> Not clear to me that the document creating the registry needs >>>>>>>> to >> >>>>>>>> adhere to the rules for further allocations in order to >> >>>>>>>> prepoulate the registry. that is perhaps an appeal to future >> >>>>>>>> consistency. >> >>>>>>> >> >>>>>>> Sure - I'm all for a smattering of inconsistency:-) >> >>>>>>> >> >>>>>>> But I think the lack of specs in some of these cases could >>>>>>> impact >> >>>>>>> on interop, e.g. in the otp case, they quote two RFCs and yet >>>>>>> only >> >>>>>>> have one value. That seems a bit broken to me, so the discuss >> >>>>>>> isn't really about the formalism. >> >>>>>>> >> >>>>>>> S. >> >>>>>>> >> >>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> >> >>>>>> >> >>>>> >> >>>> >> >>> >> >> >
- [OAUTH-WG] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… joel jaeggli
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Manger, James
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones