Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?
Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 07 July 2020 22:21 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE6A3A0B27 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 15:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBq8md48-wLK for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 15:21:09 -0700 (PDT)
Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045373A0B28 for <oauth@ietf.org>; Tue, 7 Jul 2020 15:21:08 -0700 (PDT)
Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id svxaj1ZzWM35XsvxbjkaMU; Tue, 07 Jul 2020 15:21:08 -0700
X-CMAE-Analysis: v=2.3 cv=CPNUoijD c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=Dc0mUnFQl-Wq2u5v2AMA:9 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=Lz2gcHyPjL5tGRc_hgQA:9 a=hncZEEFjE3mArc4k:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: oauth@ietf.org
References: <CAD9ie-uOiy92_68YzLajEDr4kjoKwvmn1aQiz6_=HojpbWYtPA@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com>
Date: Wed, 08 Jul 2020 01:21:06 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-uOiy92_68YzLajEDr4kjoKwvmn1aQiz6_=HojpbWYtPA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020209000405020205030908"
X-CMAE-Envelope: MS4wfBzGRL0Db1ghy8cRo1iXNqPSbuqO+7yRuREtF/ZcKSoiQOkfDZV8sTTGbu9KbvdlGc1WMuwPQfUyiduHWed9Pp45zxBkaq7PPjaEk2g5ZLp+3Fw9uCYq BRk/pmTz3gng5ZUZr/FtpJOUJooxg2hCaqhiaBzxr2CScQMU/gwqtpKk
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ntz0OUudD1NCsqkkngkqM3bOqsQ>
Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 22:21:12 -0000
I find 03 well structured, well written and it shows that a lot of thought and work has gone into it. If this is a formal call for adoption - I support it. > - defined new client type - credentialed clients - a client that has > credentials, but the AS has not confirmed the identity of the client. > Confidential clients have had their identity confirmed by the AS. We > talked about changing the names of confidential and public, but > thought that would be confusing. This new definition cleans up the > text substantially. I understand why this new client type was introduced. For the reader who is not familiar with the recent OAuth RFCs and drafts - I suspect this can still be confusing. There will likely be questions -- Why does this difference between confidential and credentialed matter? What is a concrete example of a credentialed client? Also, people will likely ask themselves - what does the confirmation of a (credentialed) client's identity by the AS actually mean and do? (section 2.1) > Authorization servers SHOULD consider the level of confidence in a > client's identity when deciding whether they allow such a client > access to more critical functions, such as the Client Credentials > grant type. Again, normative text that relies on the implementer being able to assign levels of confidence in the client's identity, but is not immediately obvious how to go about this. There is mention in 9.1 about "enlisting the resource owner to confirm identity" and "if there is a web application whose developer's identity was verified...". But this talk about client identity is secondary and happens in the context of client authentication. Perhaps it will make sense to promote the discussion about identity to a new 9.x section "Client identity" or "Client Identification", before "Client Authentication". Addressing the topics what client identity is, why does it matter (especially for security), and the "confirmation by the AS". Then proceed with "Client Authentication" which now is freed to focus on the credentials / auth methods aspects. > Such credentials are either issued by the > authorization server or registered by the developer of the client > with the authorization server. Credentials (public key) can also be registered by a client performing dynamic registration (section 2.1) Vladimir
- [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch