IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-03.txt

Brian Campbell <bcampbell@pingidentity.com> Thu, 21 June 2012 21:07 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3969121F8679 for <oauth@ietfa.amsl.com>; Thu, 21 Jun 2012 14:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.01
X-Spam-Level:
X-Spam-Status: No, score=-6.01 tagged_above=-999 required=5 tests=[AWL=-0.033, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWpYrN6mqBax for <oauth@ietfa.amsl.com>; Thu, 21 Jun 2012 14:07:33 -0700 (PDT)
Received: from na3sys009aog103.obsmtp.com (na3sys009aog103.obsmtp.com [74.125.149.71]) by ietfa.amsl.com (Postfix) with ESMTP id 889B221F8674 for <oauth@ietf.org>; Thu, 21 Jun 2012 14:07:32 -0700 (PDT)
Received: from mail-qc0-f179.google.com ([209.85.216.179]) (using TLSv1) by na3sys009aob103.postini.com ([74.125.148.12]) with SMTP ID DSNKT+ONFLOwvES0OFABJCr8k4VoZjP07mQH@postini.com; Thu, 21 Jun 2012 14:07:32 PDT
Received: by qcse14 with SMTP id e14so647324qcs.38 for <oauth@ietf.org>; Thu, 21 Jun 2012 14:07:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=6ODo7rBkkH4cqsuzJvethI3WXlggbGA8xqiYtPZ6R4A=; b=iX5gGdqv/RU5f8sC4+lneo4uwWazivkp3e8n9kCUUAsO0HnBOIDXrSue1Q2+v2QMcw q5pq6JwUPBnN4r4mCh7JlEeECT52nclKKV/vzclmgNmWfY+Nbvw2p1xz6Bux7HoljupL p96K3CmT930WdmzI4mUFgZwIf5aWTKrkjEAH0Svp5SDqdSixMy7OpQ4Nj/y8wPlps0IZ qV3POW9UKLxd4FyuwyAOPUGbg3m1SGXTshjEbh1m9YubMvVog1Ij/ZEf4f5VXMzuaAtD ODPVhRFFPW0q80WqZ8pbMmeLbxbBfih/tU0TlCSdHU/RlEOsqgs3d/g/pdhUrlzW0h0O 1mpQ==
Received: by 10.224.185.148 with SMTP id co20mr2190823qab.4.1340312851425; Thu, 21 Jun 2012 14:07:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.87.142 with HTTP; Thu, 21 Jun 2012 14:07:01 -0700 (PDT)
In-Reply-To: <DE39D7C5-5265-44D3-A8C0-F8CA39DBC5C1@gmx.net>
References: <20120621175317.32545.76545.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739436656323F@TK5EX14MBXC283.redmond.corp.microsoft.com> <0F4BC83D-9C3E-44CD-9D8C-5784A7495486@gmx.net> <DE39D7C5-5265-44D3-A8C0-F8CA39DBC5C1@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 21 Jun 2012 15:07:01 -0600
Message-ID: <CA+k3eCROhwDsF=r=UsRWqU6XaHQOU6hNgq_mP84h+Gavx6H8CQ@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQk+80RYy6tFEb/3FwWUUFK9iyvw3DfuBs7z0wMPPNtt5GSmmyLjOrh58GaxAcQu8rqKN/fX
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2012 21:07:34 -0000

As far as the rest of the policy discussion, I have no interest or
intent to define policy for this stuff. A year+ ago I needed a URI for
the SAML grant type. It could be anything but it should be something
stable. And it'd be nice if it was semi-meaningful.  I was using
http://openid.net or something for a while and there were concerns
about ownership and stability. Also because SAML grant was an IETF
draft, it seed to make sense to have an IETF URI. I didn't know how to
get one so I asked. Eventually Hannes suggested the text that became
draft-ietf-oauth-urn-sub-ns. A few more things came along that
similarly needed URIs (JWT grant and client assertion auth) so it
seemed to be working out well. Very little changed in that draft for
nearly a year until the AD review yesterday brought up some
deficiencies. I tried to address those in -03 today (and would like to
do a -04 soon with the minor changes Mike suggested).

With that said, all I really wanted was an easy way to reserve or
register a stable and somewhat meaningful URI. It's proven not to be
easy, however. Adding additional sub-registries and policy to
urn:ietf:params:oauth, which will probably only ever have a few values
in it,  seems to me to be unnecessarily adding a lot of overhead to it
all.

Perhaps I'm mistaken but wouldn't Expert Review catch URIs that are
just wrong prior to registration? And even if it didn't, what really
is the harm?





On Thu, Jun 21, 2012 at 1:48 PM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
> Btw, in a discussion with Brian we check the policies for the three extensions in the OAuth core specification
>
> 1) Section 8.3.  Defining New Authorization Grant Types
>
> If you don't define additional token endpoint parameters then there is actually no requirement for expert review or a specification.
> It is probably FCFS.
>
> 2) Section 8.1.  Defining Access Token Types
>
> For URIs there seems to be no constraint either although the text talks about limited to vendor-specific implementations.
>
> 3) client_assertion_type is created in http://tools.ietf.org/html/draft-ietf-oauth-assertions-03#section-8.3
>
> There is no description either for what is required to register a new assertion type into the URN class client_assertion_type.
>
> (For client authentication mechanisms there is actually no registry in core and therefore there is no policy either.)
>
> Ciao
> Hannes
>
> On Jun 21, 2012, at 10:12 PM, Hannes Tschofenig wrote:
>
>> Hi Mike,
>>
>> Thanks for your mail.
>>
>> First, I would like to argue for a registry that has more than one level. We need a two level registry because the different extensions have (and will also in the future) have different extension policies.
>>
>> The structure of the registry is: urn:ietf:params:oauth:<class>:<id>
>>
>> On the first level, the <class> part, we have high level functionality that was defined in the core specification. This includes things like
>>
>> 1) authorization grants (which you call grant-type in your registration request in http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-12)
>>
>> So, this would be urn:ietf:params:oauth:grant-type
>>
>> 2) client authentication mechanism (which you call client-assertion-type in http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-12 but should rather mean something like client-auth-type)
>>
>> So, this could be something like urn:ietf:params:oauth:client-auth-type
>>
>> 3) Access Token Types (which is called 'token-type' in http://www.ietf.org/id/draft-ietf-oauth-json-web-token-00.txt)
>>
>> This is urn:ietf:params:oauth:token-type.
>>
>> [PS: The text in the http://tools.ietf.org/html/draft-ietf-oauth-v2-28#section-8.1 for registering new access token types is a bit confusing and I am not sure whether an absolute URI would actually be required even though it makes a lot of sense.]
>>
>> While I believe that our initial requirement for "RFC required" for adding these top level classes makes sense since these basic extension features to OAuth are really core to the protocol functionality it is good that the group checks them carefully.
>>
>> Then, at the <id> level the individual values reside. For the authorization grant this is 'saml2-bearer' as defined in http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-12#section-6.
>>
>> So, what is the right policy for adding values under urn:ietf:params:oauth:grant-type? http://tools.ietf.org/html/draft-ietf-oauth-v2-28#section-8.3 says what the policy is. So, instead of re-deciding a new policy for adding entries here it would be good to get it inline with what the policy is in the core spec.
>>
>> What could go wrong if the two are not aligned? I actually had that case in the DIME working group. Without going into the details the registry had a much stronger policy (RFC required) than the protocol specification (which only required a specification, if I remember it). The consequence was that people couldn't easily register new values from other organizations since they would fail in the last step when a new registry value had to be created (since IANA then told them 'RFC Required'). Consequently, these other organizations who wanted to get their work done then avoided doing so by misusing other extensions, which was really not good.
>>
>> Mike, you have actually been suggesting that a three level category for certain classes of sub-registries is actually OK as well. That may be true and we could relax the text to say that whoever defines the class also decides about the structure of the child elements underneath it.
>>
>> What I believe we need to add in the document is to populate the registry with the three URIs (from above; referring to the classes) and pointing to the policy from the core specification. Then, other docs (like draft-ietf-oauth-json-web-token-00.txt) can just put their values in there.
>>
>> Ciao
>> Hannes
>>
>>
>> On Jun 21, 2012, at 9:14 PM, Mike Jones wrote:
>>
>>> This draft is much clearer.  Thanks for the quick turn-around.
>>>
>>> One question:  You added:
>>> *Index value: values subordinate to urn:ietf:params:oauth are of the from urn:ietf:params:oauth:<class>:<id> with <class>:<id> as the index value
>>> Why bake the assumption of a two-level structure into the registry?
>>>
>>> For instance, you could easily imagine legal and useful registrations of the form <class>:<subclass>:<id>, etc.
>>>
>>> Maybe change this to say:
>>> *Index value: values subordinate to urn:ietf:params:oauth are of the from urn:ietf:params:oauth:<value> with <value> as the index value.  It is suggested that <value> include both a "class" and an "identifier-within-class" component, with the two components being separated by a colon (":"); other compositions of the <value> may also be used.
>>>
>>>                              -- Mike
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
>>> Sent: Thursday, June 21, 2012 10:53 AM
>>> To: i-d-announce@ietf.org
>>> Cc: oauth@ietf.org
>>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-03.txt
>>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>>>
>>>      Title           : An IETF URN Sub-Namespace for OAuth
>>>      Author(s)       : Brian Campbell
>>>                         Hannes Tschofenig
>>>      Filename        : draft-ietf-oauth-urn-sub-ns-03.txt
>>>      Pages           : 7
>>>      Date            : 2012-06-21
>>>
>>> Abstract:
>>>  This document establishes an IETF URN Sub-namespace for use with
>>>  OAuth related specifications.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-urn-sub-ns
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-03
>>>
>>> A diff from previous version is available at:
>>> http://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-urn-sub-ns-03
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email