IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Vittorio Bertocci <Vittorio@auth0.com> Sat, 30 March 2019 17:35 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD3D12020A for <oauth@ietfa.amsl.com>; Sat, 30 Mar 2019 10:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRoBxK1zgH1x for <oauth@ietfa.amsl.com>; Sat, 30 Mar 2019 10:35:06 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3E891201DC for <oauth@ietf.org>; Sat, 30 Mar 2019 10:35:05 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id g7so3502711lfh.10 for <oauth@ietf.org>; Sat, 30 Mar 2019 10:35:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AgcgyG8GVw4RX+fmcD6CSGmh0B5Tro42Tv5poOUg4A8=; b=kDP+C+FSCB9EmJgC0o8BquHYAZK/ybJ+hKnbmS+BWhgcWkyq8E9IQFzqvmEsrEZnB8 iHaEjOE2pVwoCLnYQ54G5BUEiI5ksOa8AXL+2XyOt8TuuoF1jyOuS58myWadIv4Zbk+s 7VjA6Vd+/Y5Gtf+xbHytLpFvxRjF0X3k9dlAYjApPwKygCwWKS1q+3xvnTk78WUvG5Oy yMAdOsMqaYit+SS6xxBSIWnbL1PgTCBKjzZAOE9IHhnfxvCH8s6Wg1eqrImZrMis4X0e kjcmQHluMCKj36tJF4lqHZUlnci42awo5oya0fYEJb2BlxoXvWexcu1uBzYk3azb3ArE pI6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AgcgyG8GVw4RX+fmcD6CSGmh0B5Tro42Tv5poOUg4A8=; b=ASZhDXu4wOqBDB7ysy+o/ojZTKSLnyzCs8Qt/2WPPkeXExrei53wO1Bhi49+S3Td1s W1LA05gPPaHRGh9lPc13HhvBKS/30D7ZV0geh4n10I22TyMNx2elueMSCKdbgReR1lNt n3ypfhkZgAQMgIsMEBy7qXvcaT5qJwKUv0oGE5xDcNelvysEPV1K8tcKeiTQDlP8+RIB mVm+PLlB0P22CiaYt5/sSX+/lorbU13WSW/YVwVoneXhCm6qhkPx8Q+KTqeY1O1T2CJv E/X8YSawhNRJ5AUNSDIPG0l8nT7cJtf/GzR70aMDoJYqS524/7ozBPa4b3YGaKNOQ0Um iO3A==
X-Gm-Message-State: APjAAAUn5wupe+dZGe7EM9sqFBtrnOc5XEsM0JL80fBQQ8oooYZIY/IW EAxIeAGPidm2uRCfPnB8TNvb015LLG8czsaCix9FPg==
X-Google-Smtp-Source: APXvYqxjzzVQ5dNkUgbjbAnuzfsfM8UFB846K8C3etsK3n3GnOBF9O7OYmhUYP22iC5ClZLAHhNFIdg7sPEsm5G/7o8=
X-Received: by 2002:a19:9e0d:: with SMTP id h13mr27768921lfe.51.1553967303634; Sat, 30 Mar 2019 10:35:03 -0700 (PDT)
MIME-Version: 1.0
References: <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <CA+iA6ujkEMdHPMn7JQLts7OAusV3ieKKMon572vTACtFvTGnrA@mail.gmail.com> <CAO_FVe73L7B-_7gu1W0N-mqLXHQExef4QKDeaWHrUmJnCCxCRg@mail.gmail.com> <D610AAEA-892F-4AAD-915D-A0C068F5BFD3@gmail.com> <CAO7Ng+sqzw4O2vt+iCWegBWBGg+-oyqV1j8dF7ADK2TbPec_CQ@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <20190330091527.GO35679@kduck.mit.edu>
In-Reply-To: <20190330091527.GO35679@kduck.mit.edu>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Sat, 30 Mar 2019 10:34:52 -0700
Message-ID: <CAO_FVe48SVTEZKWrZxmq0uXnuws40ir9HdgmN6NN32qZT4rkyg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF oauth WG <oauth@ietf.org>, Steinar Noem <steinar@udelt.no>
Content-Type: multipart/alternative; boundary="000000000000204b05058553350d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bZo-XI-WmEe6p-fXKNEfDeMV5cE>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 17:35:08 -0000

Hey Benjamin,
Of course I agree that sheer headcount isn’t the main factor :).
The main point here is that this is a profile meant to promote and
facilitate interoperability, so _as long as a proposal is is sound &
secure_, the number of products and services favoring it does have direct
impact on adoption & expectations of successful interop. I agree that the
“why” remains the highest order bit, and as you mentioned we have seen good
arguments.

On Sat, Mar 30, 2019 at 02:15 Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi Vittorio,
>
> On Tue, Mar 26, 2019 at 09:48:08AM -0700, Vittorio Bertocci wrote:
> > thank you Steinar and everyone else for the comments on this!
> > To summarize the situation so far: Dominick, Steinar, Rob, David, Nov,
> > Bertrand recommend using sub only for users. Martin would like to have
> the
> > sub for app only flows as well. Hans is neutral.
> > That does sound like the sub as user has more consensus, tho before
> > changing it I'd wait for the people currently at IETF104 to have more
> time
> > to comment as well.
>
> I'm not the responsible AD for OAuth, but as irresponsible AD let me point
> out that the WG chairs need to look at the "why" and not just the headcount
> of support, when they determine what has consensus (or lack of consensus).
> But I think we have seen some good arguments presented in this thread, so
> hopefully the chairs' job will not be very difficult.
>
> -Ben
>

v2.23.0 | Report a Bug | By Email