Re: [OAUTH-WG] draft-hunt-oauth-software-statement-00
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 01 November 2013 20:17 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EACB611E8131 for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOLpez-n+tfF for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:17:49 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 2A26011E811D for <oauth@ietf.org>; Fri, 1 Nov 2013 13:17:49 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LlUZz-1WBOrj0uAx-00bOX8 for <oauth@ietf.org>; Fri, 01 Nov 2013 21:17:48 +0100
Message-ID: <52740C6B.8080000@gmx.net>
Date: Fri, 01 Nov 2013 21:17:47 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <5273FD6F.3070404@gmx.net> <7CBADC8F-E81D-453B-92FA-CADFDA0AD37D@oracle.com>
In-Reply-To: <7CBADC8F-E81D-453B-92FA-CADFDA0AD37D@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:ZI8YTUFy5aukjkX4VrP26SFtWsHfRDVgV3n59JNrlZ6/BHaTVr5 SEBnOkw2tYnsfFKdSyPypZuQPWqWXYivcAH37MTQWqkL5KaAaeeMqy9TkXDgts4fmlXYN6J GWviFHbD6QCwLfIgSftQUZ8OzBNsOqvLN+bwi3NYCXdrTv7DEFO0i6z2EAmzcJ9LSZ4LZcW SFKyr6Tic4ZVKuO5zPvVg==
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hunt-oauth-software-statement-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 20:17:54 -0000
Hi Phil, thanks for the quick response. Am 01.11.13 20:54, schrieb Phil Hunt: > See below... Phil > > @independentid www.independentid.com phil.hunt@oracle.com > > On 2013-11-01, at 12:13 PM, Hannes Tschofenig > <hannes.tschofenig@gmx.net> wrote: > >> Hi Phil, Hi Tony, Hi all, >> >> regarding this document I believe there are the following questions >> the group may want to think about: >> >> a) Is the lifecycle of software development (Figure 1) common >> accross several companies? > > We are trying to be generic. What we are trying to do is take the old > model where a developer would register with a Facebook, a Google, > whatever and apply it to what happens to open source API and > commercial API scenarios where software is deployed in many locations > (not just a single cloud provider). Certainly makes sense. I am just saying that it would be good if there are others in the group who say that the described model lines up with their practices. You never know but their practices may actually be different. >> >> b) The document defines a number of attributes. Are those >> attributes also used in other deployments? Is their semantic >> clearly defined so that meaningful actions can be taken when >> receiving those? > > The attributes come from Dynamic Registration. Only thing new here > is software_id and software_version. I didn't realize that. Maybe that's worthwhile to highlight. So, the question would then be to the group whether the two newly defined attributes are sufficient and well-defined. The description was good for me. >> >> c) Is the proposed approach for conveying the software statement >> acceptable for the group? (currently the information is conveyed as >> a bearer token encoded as JWT). > > John Bradley's JWT token is similar, but I think they have different > characteristics in the way they are used. I'd like to here John > present this at the meeting before I attempt to try and compare them. > This is something I'd like to work on together. Thanks; that might be useful. I personally don't have a preference here but getting feedback from the group would be good. >> >> What would be good to have is two things: >> >> * Examples >> >> * Text that describes what decisions can be made by the >> introduction of the software assertions. This text could go into >> the introduction to provide a motivation about why to use it. > > I am open to a lot of change her. If anything, my feeling is that if > anything we should cut the drafts back down to the raw normative > text. It is my feeling there is too much explanatory text that > drives the perception that the proposal is complex. Yet this boils > down to 3 methods: > > Static - do what you are doing now if that works. Dynamic - Swap a > software statement (shared by all instances of the same app) for an > individual client assertion (assertion swap) Transient - just pass > your software_id (or maybe it should be software statement) as you > client_id I like that short summary. That should be something for the intro Ciao Hannes > >> >> Ciao Hannes _______________________________________________ OAuth >> mailing list OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] draft-hunt-oauth-software-statement-00 Hannes Tschofenig
- Re: [OAUTH-WG] draft-hunt-oauth-software-statemen… Phil Hunt
- Re: [OAUTH-WG] draft-hunt-oauth-software-statemen… Hannes Tschofenig
- Re: [OAUTH-WG] draft-hunt-oauth-software-statemen… Phil Hunt