Re: [OAUTH-WG] draft-hunt-oauth-software-statement-00

Phil Hunt <> Fri, 01 November 2013 21:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 182FF11E8181 for <>; Fri, 1 Nov 2013 14:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.287
X-Spam-Status: No, score=-6.287 tagged_above=-999 required=5 tests=[AWL=0.312, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UVuLK8CTSDUl for <>; Fri, 1 Nov 2013 14:25:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DFBE511E8160 for <>; Fri, 1 Nov 2013 14:25:06 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rA1LP3N4015365 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 1 Nov 2013 21:25:03 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id rA1LP2C9017387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Nov 2013 21:25:03 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id rA1LP2QR017378; Fri, 1 Nov 2013 21:25:02 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Nov 2013 14:25:02 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Phil Hunt <>
In-Reply-To: <>
Date: Fri, 1 Nov 2013 14:24:50 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Hannes Tschofenig <>
X-Mailer: Apple Mail (2.1510)
X-Source-IP: []
Cc: " WG" <>
Subject: Re: [OAUTH-WG] draft-hunt-oauth-software-statement-00
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2013 21:25:12 -0000



On 2013-11-01, at 1:17 PM, Hannes Tschofenig <> wrote:

> Hi Phil,
> thanks for the quick response.
> Am 01.11.13 20:54, schrieb Phil Hunt:
>> See below... Phil
>> @independentid
>> On 2013-11-01, at 12:13 PM, Hannes Tschofenig
>> <> wrote:
>>> Hi Phil, Hi Tony, Hi all,
>>> regarding this document I believe there are the following questions
>>> the group may want to think about:
>>> a) Is the lifecycle of software development (Figure 1) common
>>> accross several companies?
>> We are trying to be generic. What we are trying to do is take the old
>> model where a developer would register with a Facebook, a Google,
>> whatever and apply it to what happens to open source API and
>> commercial API scenarios where software is deployed in many locations
>> (not just a single cloud provider).
> Certainly makes sense. I am just saying that it would be good if there are others in the group who say that the described model lines up with their practices. You never know but their practices may actually be different.

Hmmm…. not sure what granularity you are after.  I am just describing what is essentially a "federated" model for registration that works for developers who have no prior relationship with the service providers that deploy a particular API.  Nothing more.

One way to look at this is that Software Statements preserve the current methodology of the client developer registering with the developer registration service for an API -- usually that would be the organization that controls/revises/updates the API definition.  In commercial APIs that would be the vendor, in open APIs, it would be the consortium or the open source project.  In OpenID Connect for example, it could be the OIDF or someone like the OIX since OIX is helping to vet/whitelist IDPs.

Finally, if no organization is available to provide the developer software statement, the developer can always self-assert. In a sense this becomes similar to dyn reg now.  Except with one major difference.  All copies of the developer's client will still use the same assertion and the registration profile is "locked".  

You could even go to per instance assertions where the developer could decide to have the client generate on the fly if their use case really does demand completely different registration per client instance -- I've yet to see a valid use case, but this would still be possible.

IOW -- this is no different from other federation models where AS service providers decide to trust different assertion "roots" or specific assertions as needed.  A well worn model.

===>  Any lifecycle model is possible!
>>> b) The document defines a number of attributes. Are those
>>> attributes also used in other deployments? Is their semantic
>>> clearly defined so that meaningful actions can be taken when
>>> receiving those?
>> The attributes come from Dynamic Registration.  Only thing new here
>> is software_id and software_version.
> I didn't realize that. Maybe that's worthwhile to highlight.
> So, the question would then be to the group whether the two newly defined attributes are sufficient and well-defined. The description was good for me.

My understanding is that dyn reg has these attributes as well (so they are no longer new).  It may be that software statement's attributes need to be updated to reflect the current dyn reg phrasing.
>>> c) Is the proposed approach for conveying the software statement
>>> acceptable for the group? (currently the information is conveyed as
>>> a bearer token encoded as JWT).
>> John Bradley's JWT token is similar, but I think they have different
>> characteristics in the way they are used.  I'd like to here John
>> present this at the meeting before I attempt to try and compare them.
>> This is something I'd like to work on together.
> Thanks; that might be useful. I personally don't have a preference here but getting feedback from the group would be good.
>>> What would be good to have is two things:
>>> * Examples
>>> * Text that describes what decisions can be made by the
>>> introduction of the software assertions. This text could go into
>>> the introduction to provide a motivation about why to use it.
>> I am open to a lot of change her. If anything, my feeling is that if
>> anything we should cut the drafts back down to the raw normative
>> text.  It is my feeling there is too much explanatory text that
>> drives the perception that the proposal is complex.  Yet this boils
>> down to 3 methods:
>> Static - do what you are doing now if that works. Dynamic - Swap a
>> software statement (shared by all instances of the same app) for an
>> individual client assertion (assertion swap) Transient - just pass
>> your software_id (or maybe it should be software statement) as you
>> client_id
> I like that short summary. That should be something for the intro
> Ciao
> Hannes
>>> Ciao Hannes _______________________________________________ OAuth
>>> mailing list