IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 20 August 2013 14:50 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE8C11E823F for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.793
X-Spam-Level:
X-Spam-Status: No, score=-105.793 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nE5ewRkPRfhE for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:50:55 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 7E67F11E823A for <oauth@ietf.org>; Tue, 20 Aug 2013 07:50:51 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7KEomMc009211 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 16:50:48 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7KEnUbq017070 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 16:50:47 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC001.nsn-intra.net (10.159.161.14) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 20 Aug 2013 09:50:07 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Tue, 20 Aug 2013 09:50:06 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Eve Maler <eve@xmlgrrl.com>, Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnTSHiFrFHHda9E2Ya+ErypFShZmd+qSQ
Date: Tue, 20 Aug 2013 14:50:07 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA26F17@USCHMBX001.nsn-intra.net>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
In-Reply-To: <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.161.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 9016
X-purgate-ID: 151667::1377010248-00003561-04532ED7/0-0/0-0
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 14:51:00 -0000

Hi Eve, 

Thanks for pointing to this document. I took a brief look at the use case section and also followed the link to the original UMA use case page at http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases

The problem with the write-up is that it does not help us in the discussion about these specific design choices for the dynamic client registration protocol since the UMA use cases are more high-level. 

What we would, for example, need (at least I think so) are scenarios at the level of "client generates a client id (instead of AS). What is the motivation? What are the implications for the protocol interaction and for security?"

If someone from the UMA community could provide me with use cases that are focused to help me answer questions like the one above that would be helpful. 

Ciao
Hannes

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of ext Eve Maler
> Sent: Tuesday, August 20, 2013 1:33 AM
> To: Justin Richer
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
> Thu 22 Aug, 2pm PDT
> 
> Hi folks-- Just a reminder that the first draft the UMA group submitted
> on May 1, 2011 contained extensive requirements and use cases related
> to UMA's various needs for dynamic client registration:
> 
> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
> 
> When there was interest to pick up this draft as a WG work item, it was
> recommended that we excise this content so that the doc wouldn't be so
> specific to our particular usage of OAuth.
> 
> I point this out just to show that the need for dynamic client
> registration isn't limited to OpenID Connect, and that some specific
> use cases have already been floated here.
> 
> FWIW,
> 
> 	Eve
> 
> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
> 
> > All of this is a good argument to do both, which is what I've been
> saying all along.
> >
> > -- Justin
> >
> > On 08/19/2013 11:33 AM, Phil Hunt wrote:
> >> I do not recall agreement in charter discussions to solving a
> specific case.
> >>
> >> I recall more than one in the re-chartering discussion said dyn reg
> needed major changes to solve their use cases.
> >>
> >> Phil
> >>
> >> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
> >>
> >>> Tony, I completely disagree. The proposals that I've seen have
> different means and different end states, and they make different
> assumptions about the relationship between entities and the
> capabilities of all players.
> >>>
> >>> -- Justin
> >>>
> >>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
> >>>> There are proposals out there that are trying to solve the same
> problem, but in different ways, so I would not say that they are trying
> to solve different use cases. I do think that we need to make sure that
> whatever proposal we select it needs to have a wide range of use cases
> it solves, not just a single use case as the more solutions this group
> produces the more confused folks will be
> >>>>
> >>>> -----Original Message-----
> >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> Behalf Of Justin Richer
> >>>> Sent: Monday, August 19, 2013 7:27 AM
> >>>> To: Phil Hunt
> >>>> Cc: oauth mailing list
> >>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
> Call: Thu 22 Aug, 2pm PDT
> >>>>
> >>>> I agree that dynamic registration isn't needed to solve *all* of
> the different use cases. It solves its set of specific problems (and
> does so well, if you ask me), but there are and will always be things
> that it won't work for, and that's fine. That's why I've suggested
> under a separate thread that the other drafts go forward separately and
> that DynReg not be hung up on them. We're fundamentally solving
> different use cases, and there is no magic solution that will solve all
> the problems at once.
> >>>>
> >>>>   -- Justin
> >>>>
> >>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
> >>>>> I think we should start by reviewing use cases taxonomy.
> >>>>>
> >>>>> Then a discussion on any client_id assumptions and actual
> requirements for each client case. Why is registration needed for each
> case?
> >>>>>
> >>>>> The statement can solve some complication but should be put in
> context of use cases.
> >>>>>
> >>>>> Phil
> >>>>>
> >>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
> <hannes.tschofenig@gmx.net> wrote:
> >>>>>
> >>>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>> Hash: SHA512
> >>>>>>
> >>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>> Hash: SHA512
> >>>>>>
> >>>>>> Based on your feedback via the poll let us start with August
> 22nd with the first conference call. I will distribute the conference
> call details on Tuesday.
> >>>>>>
> >>>>>> Let us talk about the agenda. There were several items brought
> up in
> >>>>>> discussions, namely
> >>>>>>
> >>>>>> * Software assertions / software statements
> >>>>>>
> >>>>>> We briefly discussed this topic at the IETF OAuth session but we
> may need more time to understand the implications for the current
> dynamic client registration document:
> >>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
> >>>>>>
> >>>>>> * SCIM vs. current dynamic client registration approach for
> >>>>>> interacting with the client configuration endpoint
> >>>>>>
> >>>>>> In the past we said that it would be fine to have a profile
> defined in SCIM to provide the dynamic client registration for those
> who implement SCIM and want to manage clients also using SCIM. It might,
> however, be useful to compare the two approaches in detail to see what
> the differences are.
> >>>>>>
> >>>>>> * Interactions with the client registration endpoint
> >>>>>>
> >>>>>> Justin added some "life cycle" description to the document to
> motivate some of the design decisions. Maybe we need to discuss those
> in more detail and add further text.
> >>>>>> Additional text could come from the NIST Blue Button / Green
> Button usage.
> >>>>>>
> >>>>>> * Aspects that allow servers to store less / no state
> >>>>>>
> >>>>>> - - From the discussions on the list it was not clear whether
> this is actually accomplishable with the current version of OAuth. We
> could explore this new requirement and try to get a better
> understanding how much this relates to dynamic client registration and
> to what extend it requires changes to the core spec.
> >>>>>>
> >>>>>>
> >>>>>> What would you like to start with? Other topics you would like
> to bring up?
> >>>>>> - -----BEGIN PGP SIGNATURE-----
> >>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>>>>> Comment: GPGTools - http://gpgtools.org
> >>>>>>
> >>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> >>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> >>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> >>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> >>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> >>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
> >>>>>> =tkGT
> >>>>>> - -----END PGP SIGNATURE-----
> >>>>>> -----BEGIN PGP SIGNATURE-----
> >>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>>>>> Comment: GPGTools - http://gpgtools.org
> >>>>>>
> >>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> >>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> >>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> >>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> >>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> >>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
> >>>>>> =3qNI
> >>>>>> -----END PGP SIGNATURE-----
> >>>>>> _______________________________________________
> >>>>>> OAuth mailing list
> >>>>>> OAuth@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>>> _______________________________________________
> >>>>> OAuth mailing list
> >>>>> OAuth@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email