IETF Logo Mail Archive

Re: [OAUTH-WG] A Proposal for Dynamic Registration

Anthony Nadalin <tonynad@microsoft.com> Wed, 07 August 2013 14:59 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C56911E8144 for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 07:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.503
X-Spam-Level:
X-Spam-Status: No, score=-2.503 tagged_above=-999 required=5 tests=[AWL=0.964, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7DQk-fY7zvI for <oauth@ietfa.amsl.com>; Wed, 7 Aug 2013 07:59:45 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id 76A0C11E813D for <oauth@ietf.org>; Wed, 7 Aug 2013 07:59:45 -0700 (PDT)
Received: from mail224-tx2-R.bigfish.com (10.9.14.250) by TX2EHSOBE008.bigfish.com (10.9.40.28) with Microsoft SMTP Server id 14.1.225.22; Wed, 7 Aug 2013 14:59:44 +0000
Received: from mail224-tx2 (localhost [127.0.0.1]) by mail224-tx2-R.bigfish.com (Postfix) with ESMTP id 9358EB801CD for <oauth@ietf.org>; Wed, 7 Aug 2013 14:59:44 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -20
X-BigFish: VS-20(zzbb2dI98dI9371I542I1432I1418Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1de098h1033IL17326ah1de096h8275dh15d4I1de097hz2fh2a8h683h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail224-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail224-tx2 (localhost.localdomain [127.0.0.1]) by mail224-tx2 (MessageSwitch) id 13758875818006_18090; Wed, 7 Aug 2013 14:59:41 +0000 (UTC)
Received: from TX2EHSMHS018.bigfish.com (unknown [10.9.14.237]) by mail224-tx2.bigfish.com (Postfix) with ESMTP id F1652540046 for <oauth@ietf.org>; Wed, 7 Aug 2013 14:59:40 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS018.bigfish.com (10.9.99.118) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 7 Aug 2013 14:59:33 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.3.136.1; Wed, 7 Aug 2013 14:59:31 +0000
Received: from mail221-va3-R.bigfish.com (10.7.14.245) by VA3EHSOBE011.bigfish.com (10.7.40.61) with Microsoft SMTP Server id 14.1.225.22; Wed, 7 Aug 2013 14:58:16 +0000
Received: from mail221-va3 (localhost [127.0.0.1]) by mail221-va3-R.bigfish.com (Postfix) with ESMTP id 51281C0374 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 7 Aug 2013 14:58:16 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51704005)(189002)(199002)(55885003)(24454002)(479174003)(51444003)(377454003)(13464003)(69226001)(74876001)(81542001)(81342001)(74366001)(65816001)(80022001)(47736001)(47976001)(31966008)(74662001)(49866001)(50986001)(51856001)(74502001)(46102001)(47446002)(74706001)(80976001)(15202345003)(4396001)(83072001)(79102001)(561944002)(77982001)(59766001)(53806001)(16406001)(56816003)(77096001)(19580405001)(76786001)(63696002)(76796001)(56776001)(54316002)(83322001)(19580395003)(74316001)(19580385001)(76482001)(33646001)(76576001)(54356001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::f4; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail221-va3 (localhost.localdomain [127.0.0.1]) by mail221-va3 (MessageSwitch) id 1375887493529990_12550; Wed, 7 Aug 2013 14:58:13 +0000 (UTC)
Received: from VA3EHSMHS028.bigfish.com (unknown [10.7.14.250]) by mail221-va3.bigfish.com (Postfix) with ESMTP id 7EA4644004B; Wed, 7 Aug 2013 14:58:13 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS028.bigfish.com (10.7.99.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 7 Aug 2013 14:58:13 +0000
Received: from BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.341.1; Wed, 7 Aug 2013 14:58:13 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 7 Aug 2013 14:58:10 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Wed, 7 Aug 2013 14:58:10 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQgAD7gwCAAAaN4A==
Date: Wed, 07 Aug 2013 14:58:09 +0000
Message-ID: <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org>
In-Reply-To: <52025504.1000705@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::f4]
x-forefront-prvs: 0931CB1479
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:59:51 -0000

I see plenty of fractures, we discussed many of these at the meeting and several side meetings last week. Specification that are brought to IETF undergo changes, morf into something different all the time regardless of who has implemented the original specifications, OAUTH Core is a fine example of how lots of running code was changed because the specification changed, so because you may have code based upon this is not a reason that it is correct and should not change. I'm not aware of many people using this draft, as in the meeting last week I think we had 2 examples, so more people saying that they have implemented this at scale and the problems it solves would be a good thing. Here are the problems that I see with the current proposal and why we would/could not use it:

1. The schema proposal is not extensible, please look at the issues with SCIM and how the scheme was made extensible in SCIM.
2. This proposal requires that I now provide management at the registration endpoint to manage users and secrets, this is costly. 
3. Yet the development of another endpoint.
4. I don't see any use cases, maybe these should be documented (or point people to these) so we understand what this is actually trying to solve, as this is somewhat of a mystery to me and others.
5. There are a lot of issues that OAUTH does not solve, I don't think that this issue (as I understand it) is in the realm of OAUTH, maybe the applications area would be a better place for this specification



-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org] 
Sent: Wednesday, August 7, 2013 7:09 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration

Tony, it happened several months ago:

   http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html

This triggered a lot of discussion and brought up several changes in the document, in general for the good. The vast majority of changes were editorial in nature, clearing up the intent of the text, but the underlying protocol is pretty solid and not very different qualitatively from draft -10. At this point, I believe that all open issues are addressed in the document or directed towards specific proposed extensions, and I haven't heard anything to the contrary.

And I think you're reading the tone content of the discussion incorrectly. As I tried to carefully lay out below, I don't see fractures. I see multiple components that can work together and fit fairly nicely into a larger system. The existence of multiple solutions does not invalidate the applicability of a known good solution. We can not shelve something good just because there's a hint of something else on the horizon (which might be good or bad, we don't know yet).

There is a lot of support for the Dynamic Registration draft that's there today, just look at the number of implementers and protocols that are actually using it. This is not a theoretical draft, this is not an intellectual exercise, this is not a speculative document -- this is a codification of real practice that we know works and has been implemented and deployed and tested.

And speaking of these other protocols and systems -- they're going to move on whether we at the IETF want them to or not. Nobody is going to sit around and wait for the IETF-blessed version of this functionality. 
As a matter of fact, this document was born of the output of two groups who specifically *didn't* wait around for the IETF to solve this problem. We brought it "in house" here because we believed that it would be better to have a generally applicable solution than to have a dozen proprietary implementations. That's where true fragmentation comes from: 
implementations and deployments, not from minor quibbles about syntax. 
So could we stuff dynamic registration on a shelf and wait for a perfect solution to descend from heaven? Sure we could, but that would be so profoundly stupid that I would question the sanity of everyone in this working group. But if we come up with a solution that works, can be implemented, and is done in a timely fashion, then the world *will* use it. That's what we have, and that's what I want to move forward.

There's also a lot of support for extensions (software statements) and different instantiations (SCIM) of the same basic protocol. These are good things, and they speak to the strength of the registration protocol, not its weakness.  I believe that what I've laid out below is a solid and reasonable plan for moving things forward and addressing everything that's been brought up, and so I invite the commentary of the whole of the working group. After all, the IETF is an organization of individuals and we work on rough consensus and running code.

  -- Justin

On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
> I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf 
> Of Justin Richer
> Sent: Tuesday, August 6, 2013 2:18 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>
> At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:
>
>    - OAuth Dynamic Registration
>    - SCIM-based OAuth Dynamic Registration
>    - Software Statements for OAuth Dynamic Registration
>
> I think that they all have their place in the world, and this is how I see them fitting together:
>
>
> OAuth Dynamic Registration
>
> What it is: Essentially the draft we have today, draft 14. This draft 
> defines a standalone RESTful API for dealing with client 
> registrations, it allows for open registration as well as protected 
> registration, and perhaps most importantly we know that it works 
> because people have implemented it as part of several different APIs. 
> This could have an informational pointer to the SCIM draft and the 
> Software Statements draft. We could call this one "core" or "basic" or 
> some other modifier, but I don't think that's necessary because it 
> already does what it says on the tin.
>
> What it needs to concentrate on: This needs to be a "base" document 
> with extension hooks in key places (such as the client metadata, which 
> is already extensible, and places that have been made extensible like 
> the token_endpoint_auth_method, and perhaps others). It needs to get 
> its job done, allowing for full specification of the simple case in an 
> interoperable way (anonymous registration of self-asserted client 
> metadata to receive a client identifier and manage the registration) 
> and be extensible and flexible enough for the more complex cases.
>
> What we should do: I think that we should continue shepherding this 
> document through WGLC in the OAuth WG because there are no specific 
> open issues in the spec (that I, the editor, am aware of) and I've 
> seen what I would personally consider to be rough consensus on it (not 
> unanimous, but that's not necessary anyway).
>
>
>
> SCIM-based OAuth Dynamic Registration:
>
> What it is: Most of Phil's draft, this defines a SCIM profile for 
> managing OAuth clients dynamically. This will accomplish the same 
> kinds of things that the OAuth Dynamic Registration Draft will 
> accomplish, but in a SCIM-like manner. This will have a normative 
> dependency on SCIM (of some version), and probably an informational 
> dependency on OAuth Dynamic Registration. This could have an 
> informational pointer to the Software Statements draft. This draft is 
> very useful if you're already deploying a SCIM based system, and if 
> you're investing in SCIM then it's going to be a smaller step to support this than it would be the base draft.
> However, I strongly believe that SCIM is a really big jump for 
> implementing basic functionality that this is trying to accomplish.
>
> What it needs to concentrate on: Tracking with the overall SCIM 
> specification (on which it depends) and tracking with the data model 
> and general usage of the OAuth Dynamic Registration protocol (wherever 
> it makes sense to do so).
>
> What we should do: I think that this draft should be picked up and 
> worked on as an IETF document, but I think that it probably makes more 
> sense for that work to be done inside of the SCIM working group. The 
> reasons for this are twofold: First, this draft really should look and 
> feel like SCIM, and to do that it really needs the attention of the 
> group that's defining SCIM. Second, SCIM isn't completed and likely 
> won't be for some time to come, and this draft needs to track with 
> that protocol as it moves through the IETF process.
>
>
>
> Software Statements for OAuth Dynamic Registration
>
> What it is: Section 4 of Phil's draft (plus a few other bits, 
> discussed here), this defines a method for presenting signed and/or 
> verifiable claims to the registration server's endpoint. This is most 
> useful when an authorization server can verify the claims being 
> presented, such as being able to discover the signing key from the 
> "iss" claim and validate the signature. This could also be used (with 
> some additional
> specification) by a discovery-based system that could fix ahead of 
> time some of the claims for a given piece of software (like we've done 
> with
> BlueButton+). In some circumstances, this assertion could even contain
> all relevant bits of the registration, leaving the rest of the 
> metadata fields blank. This is essentially the "use the assertion as 
> the registration" flow that Phil discussed at the meeting, from what I 
> understand. In all of these cases, it can give us a higher assurance 
> for the registration and means to tie together multiple instances of a 
> piece of software across a network.
>
> What it needs to concentrate on: Making the software statements 
> interoperable. I don't think this is going to be an easy task, and I 
> think it's going to be a long process to get it *right* for all players.
>
> What we should do: I think that this draft should be picked up by the 
> OAuth Working Group as a WG document, and it should be built as an 
> extension to both the OAuth Dynamic Registration and SCIM-based OAuth 
> Dynamic Registration documents. I think it's important, but it's added 
> functionality on top of either the RESTful or the SCIM-based 
> registration documents, and as such it should have a normative 
> reference to both of them with detailed profiles of how to use them.
>
>
>
>
>
>
> So in all, we've got three main documents, each with different 
> purposes and concentrations, and with different timelines. I don't see 
> any problem with these coexisting, and I think doing things this way 
> can cover all of our known use cases and let us actually progress 
> these documents and move forward.
>
>    -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email