Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

"Manger, James" <> Wed, 20 January 2016 04:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C081C1A1B84 for <>; Tue, 19 Jan 2016 20:37:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eJGbIUw4dV17 for <>; Tue, 19 Jan 2016 20:37:40 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A3ACC1A1B6A for <>; Tue, 19 Jan 2016 20:37:38 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,319,1449493200"; d="scan'208";a="142839992"
Received: from unknown (HELO ([]) by with ESMTP; 20 Jan 2016 15:37:35 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8049"; a="65744862"
Received: from ([]) by with ESMTP; 20 Jan 2016 15:37:35 +1100
Received: from ([]) by ([2002:ac31:2854::ac31:2854]) with mapi; Wed, 20 Jan 2016 15:37:34 +1100
From: "Manger, James" <>
To: Hannes Tschofenig <>, "" <>
Date: Wed, 20 Jan 2016 15:37:33 +1100
Thread-Topic: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
Thread-Index: AdFSr11PUssgD816QTiFUWwupJG0PQAhiH1g
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jan 2016 04:37:41 -0000

Accepting draft-jones-oauth-amr-values-03 is almost okay as a starting point for work.
I would like to see significant changes though:

* The "amr_values" parameter should be dropped; it just encourages brittle designs as section 4 "relationship to acr" and section 6 "security considerations" already warn about. There is no need to enable that brittleness. If someone really wants this functionality they could put an amr value in the "acr_values" field as a hack.

* The model for amr_values is wrong as well. For example, "amr":["pwd","otp"] could be a common response that you want, but you cannot ask for that with amr_values since amr_values="pwd otp" actually means just "pwd", or just "otp" is okay (and just "pwd" is your preference).

* Registering values on a "Specification Required" basis is over-the-top. This doc registers 8 amr values with just a few words as each value's "specification" (eg "eye": retina scan biometric). Each of the other 7 amr values are "specified" in a few lines with a reference (or two). A "First Come First Served" basis is probably sufficient, with the "specification" just the description in the registry (that can include references).

James Manger

-----Original Message-----
From: OAuth [] On Behalf Of Hannes Tschofenig
Sent: Tuesday, 19 January 2016 10:48 PM
Subject: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

Hi all,

this is the call for adoption of Authentication Method Reference Values, see

Please let us know by Feb 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.

Note: The feedback during the Yokohama meeting was inconclusive, namely
9 for / zero against / 6 persons need more information.

You feedback will therefore be important to find out whether we should do this work in the OAuth working group.

Hannes & Derek