Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs

Vladimir Dzhuvinov <> Tue, 09 June 2020 10:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8780D3A0D0A for <>; Tue, 9 Jun 2020 03:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UeGvpZXGq2eS for <>; Tue, 9 Jun 2020 03:08:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BA2B03A0CFE for <>; Tue, 9 Jun 2020 03:08:02 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id ibAmjDe7ALvc2ibAnjwmyn; Tue, 09 Jun 2020 03:08:02 -0700
X-CMAE-Analysis: v=2.3 cv=RO/N4Lq+ c=1 sm=1 tr=0 a=FNQ4XmqxRr20pcroDK0mpg==:117 a=FNQ4XmqxRr20pcroDK0mpg==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=A1X0JdhQAAAA:8 a=N8jRir--Xbr3ef71DcMA:9 a=QEXdDO2ut3YA:10 a=EE5gYq7_bG6CvcGDQigA:9 a=K5wMINwhczAcj2Mf:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=Df3jFdWbhGDLdZNm0fyq:22
References: <> <> <>
From: Vladimir Dzhuvinov <>
Autocrypt:; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <>
Date: Tue, 9 Jun 2020 13:08:00 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070106010003090301090809"
X-CMAE-Envelope: MS4wfKWoR6q9C8JQZ63gZQSbMZRJzcTvAstNSmwsPLLqiYQSHhzHhp5vvWJXbJXPmZZ9G3kJJh4Hmw3XPJ19Krd20H9xqeffWSx5uW3K5LqlUutWljH84iKm pfF/Ss4xbV/WYECnD8SV7gCqVp/38BgT7PTY2ekSISwefvhUREdCQVBz
Archived-At: <>
Subject: Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Jun 2020 10:08:05 -0000

On 08/06/2020 12:15, Daniel Fett wrote:
> That would be the safe implementation, but I was wondering if
> prescribing this is a good choice for an ecosystem.

Postfix vs infix:

If we reason about the common ways ASes (as web apps) get deployed, then
(perhaps) it will become obvious which method is the most natural and
likely to be taken.

  * For an AS which gets deployed in a dedicated host, e.g. as , the app root is likely to be and hence the config URL becoming a simple

  * Multi-tenant ASes where each AS has a dedicated domain for each
    issuer also.

  * For an AS which gets deployed as part of some larger app (e.g. as
    module or package) on the same host, the AS is likely to end up at
    some path like and hence the config being
    easier for a postfix URL.

  * Multi-tenant ASes which share a domain - this is not clear, but I
    suppose both postfix and infix can be made to work without the one
    method demanding more effort.

The infix is not natural, IMO, given the way apps get deployed. Postfix
seems more natural.

I may be wrong about these assumptions. But that's one good way to
approach the problem and specify something which implementers actually
find easier / natural. This, to me, is what an "ideal" technical
standard is.