Re: [OAUTH-WG] OAuth WG Re-Chartering
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 22 March 2012 08:40 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132C921F85D2 for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2012 01:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pzxv+QeWpxdH for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2012 01:40:12 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.25]) by ietfa.amsl.com (Postfix) with ESMTP id 7625721F8542 for <oauth@ietf.org>; Thu, 22 Mar 2012 01:40:11 -0700 (PDT)
Received: from [80.67.16.117] (helo=webmail.df.eu) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1SAdZ3-000828-W1; Thu, 22 Mar 2012 09:40:10 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_f794bb86ad11f01614127e3bda11680f"
Date: Thu, 22 Mar 2012 09:40:09 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: George Fletcher <gffletch@aol.com>
In-Reply-To: <4F6A3F22.6060809@aol.com>
References: <B327D847-B059-41D7-A468-8B8A5DB8BFCE@gmx.net> <CAAz=scnGaFzNNHv1xEQa0hCiA2gup_J_86HyzCnd7P0YTqfFxw@mail.gmail.com> <999913AB42CC9341B05A99BBF358718D01382ADC@FIESEXC035.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E723453AFF089FE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4F6A2D9E.3050503@lodderstedt.net> <9E23B8E0-057F-42C1-807D-36F35690C7B2@ve7jtb.com> <4F6A3F22.6060809@aol.com>
Message-ID: <8708c9bdf1e08a7b7ea3cb158add7e2a@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.6
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2012 08:40:13 -0000
Hi George, I see two distinct areas of interoperability, which are Client-AS and AS-RS. Dynamic client registration belongs to Client-AS whereas JWT & AS-RS communication belong to the later area. OAuth 2.0 currently (not fully) covers Client-AS and does not address AS-RS. In my opinion, the WG should decide whether we first complete Client-AS and address AS-RS later on or vice versa. I'm in favour of completing Client-AS first and consider client registration a major missing piece. Why? Because otherwise clients cannot dynamically bind to any OAuth-AS at runtime but have to pre-register (with any?) :-(. regards, Torsten. Am 21.03.2012 21:50, schrieb George Fletcher: > +1 to JWT and AS-RS communication over dynamic registration > > On 3/21/12 3:52 PM, John Bradley wrote: > >> I don't think dynamic registration completely removes the need for a public client, that can't keep secrets. >> >> While we did do dynamic client registration for Connect that is a more constrained use case. >> I would put JWT and AS-RS communication as higher priorities than dynamic registration. >> Partially because they are more self contained issues. >> >> John B. >> On 2012-03-21, at 4:35 PM, Torsten Lodderstedt wrote: >> >>> In my opinion, dynamic client registration would allow us to drop public client thus simplifying the core spec. >>> >>> regards, >>> Torsten. >>> >>> Am 15.03.2012 16:00, schrieb Eran Hammer: >>> >>>> I believe most do, except for the dynamic client registration. I don't have strong objections to it, but it is the least important and least defined / deployed proposal on the list. The AS->RS work is probably simpler and more useful at this point. >>>> >>>> EH >>>> >>>>> -----Original Message----- >>>>> From: oauth-bounces@ietf.org [6] [mailto:oauth-bounces@ietf.org [7]] On Behalf >>>>> Of Tschofenig, Hannes (NSN - FI/Espoo) >>>>> Sent: Thursday, March 15, 2012 4:47 AM >>>>> To: ext Blaine Cook; Hannes Tschofenig >>>>> Cc: oauth@ietf.org [8] >>>>> Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering >>>>> >>>>> Hi Blaine, >>>>> >>>>> These are indeed good requirements you stated below. >>>>> >>>>> When you look at the list of topics do you think that the proposed items >>>>> indeed fulfill them? >>>>> >>>>> Ciao >>>>> Hannes >>>>> >>>>>> -----Original Message----- >>>>>> From: oauth-bounces@ietf.org [1] [mailto:oauth-bounces@ietf.org [2]] On Behalf >>>>>> Of ext Blaine Cook >>>>>> Sent: Thursday, March 15, 2012 1:31 PM >>>>>> To: Hannes Tschofenig >>>>>> Cc: oauth@ietf.org [3] WG >>>>>> Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering >>>>>> >>>>>> On 14 March 2012 20:21, Hannes Tschofenig >>>>> >>>>>> wrote: >>>>>> >>>>>>> So, here is a proposal: >>>>>>> >>>>>>> [Editor's Note: New work for the group. 5 items maximum! ] >>>>>>> >>>>>>> Aug. 2012 Submit 'Token Revocation' to the IESG for consideration >>>>>> >>>>>> as a Proposed Standard >>>>>> >>>>>>> Nov. 2012 Submit 'JSON Web Token (JWT)' to the IESG for >>>>>> >>>>>> consideration as a Proposed Standard >>>>>> >>>>>>> 2.0' to the IESG for consideration >>>>>> er-left:#1010ff 2px solid; margin-left:5px; width:100%"> >>>>>> >>>>>> Jan. 2013 Submit 'OAuth Dynamic Client Registration Protocol' to >>>>>> >>>>>> the IESG for considerat> solid; margin-left:5px; width:100%"> >>>>>>> >>>>>>> Sep. 2012 Submit 'OAuth Use Cases' to >>>>>> consideration >>>>>> >>>>>> as an Informational RFC >>>>>> >>>>>> This looks great to me. >>>>>> >>>>>> I have serious concerns about feature-creep, and think that the OAuth >>>>>> WG should strongly limit its purview to these issues. > y under the following criteria: 1. Proposals must have a direct relationship to t >>>>>> of OAuth (and not, specifically, bound to an application-level protocol). 2. Proposals must have significant adoption in both enterprise and startup environments. 3. Any proposal must be driven based on a consideration of the different approaches, as adopted in the wild, and strive to be a better synthesis of those approaches, not a means to an end. These are the constraints with which I started the OAuth project, and they're more relevant than ever. I'd hate to see OAuth fail in the end because of a WS-*-like death by standards-pile-on. b. _______________________________________________ OAuth mailing list OAuth@ietf.org [4] https://www.ietf.org/mailman/listinfo/oauth [5] >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org [9] >>>>> https://www.ietf.org/mailman/listinfo/oauth [10] >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org [11] >>>> https://www.ietf.org/mailman/listinfo/oauth [12] >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org [13] >>> https://www.ietf.org/mailman/listinfo/oauth [14] >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org [15] >> https://www.ietf.org/mailman/listinfo/oauth [16] Links: ------ [1] mailto:oauth-bounces@ietf.org [2] mailto:oauth-bounces@ietf.org [3] mailto:oauth@ietf.org [4] mailto:OAuth@ietf.org [5] https://www.ietf.org/mailman/listinfo/oauth [6] mailto:oauth-bounces@ietf.org [7] mailto:oauth-bounces@ietf.org [8] mailto:oauth@ietf.org [9] mailto:OAuth@ietf.org [10] https://www.ietf.org/mailman/listinfo/oauth [11] mailto:OAuth@ietf.org [12] https://www.ietf.org/mailman/listinfo/oauth [13] mailto:OAuth@ietf.org [14] https://www.ietf.org/mailman/listinfo/oauth [15] mailto:OAuth@ietf.org [16] https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth WG Re-Chartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth WG Re-Chartering Igor Faynberg
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Anthony Nadalin
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Nat Sakimura
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Blaine Cook
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Blaine Cook
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering George Fletcher
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering George Fletcher
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Justin Richer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt