Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

William Denniss <wdenniss@google.com> Fri, 12 February 2016 07:44 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E08D1B411B for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2016 23:44:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36zJ6J69X5xZ for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2016 23:44:38 -0800 (PST)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D64B51B411A for <oauth@ietf.org>; Thu, 11 Feb 2016 23:44:37 -0800 (PST)
Received: by mail-ob0-x22b.google.com with SMTP id gc3so9505555obb.3 for <oauth@ietf.org>; Thu, 11 Feb 2016 23:44:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UrpKF+VSlNelfDUwgIdvkq7auYZNcBtaF1063XHhmF4=; b=Et5t4elBqczrWfazsHbOhwYyZ4JP8AgpFxHtUr7w+AAM1CAoxUgOHduZbPaC+Fo/1e z31oCDYufDvwoNwwCn2HHBNIFAF038jP+4TWndHx8uMjdg3aZiw1cFqCmWap0Ipd/zeG 6FVXP173crh4DK2fVknFZ8IvWH6uEIaP9dxnuQ0ZMt43b2Tz8WDv7SluhFkpUQRyCU1n mxqs6XB1dtZEeVcl4cXi09PDlN6VIHXXn4ist9aHzMPkyDAq+wQlDdYhGXv+IqMOJxde VKMd7ys+vNgciuM1W2gl1MPTusxpf+Xk7f45jwga+rYg+FlTgKjc8jcJPq5bsRdBp5Z+ BCzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UrpKF+VSlNelfDUwgIdvkq7auYZNcBtaF1063XHhmF4=; b=HE4lN02GFotffnDopAZXkFHL15ti5QgGjwRM0Bib+j33CeED1JZm7EepKM1/q6FADe o/e2LnqVZkG/GR2S1YdGxZBuN6ygdQQ8U/ottoRB26hAgvAOqLwQB/dufM82csAMyOCV WRfNIK/Z49zlHrBilA37wc0Np/Rfox72fkY8XssGbX5R0qgUeURQCftOS8ITuaPwk/rv hlCHMixAsCfQtniOCXdX6MsLH8z9flZh/1PkuXZ8zLIBAki3FIb/ue0yqpKASI3Shufu 5Q8okfzj/suxjrkAnCnfO9ioyzRrc62ezAEaGCcwjslAwzvLx02hlrJo0QxGW4J/OF3l NO7w==
X-Gm-Message-State: AG10YOTeWfRA+xihtz1zgb93/8LM2KYSi1fhkEN0ecDWXouM71Q9MUga/tS+MEtSaV1IFOCSw2DyVGb+dI5vm0vb
X-Received: by 10.202.51.195 with SMTP id z186mr99480oiz.12.1455263077082; Thu, 11 Feb 2016 23:44:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Thu, 11 Feb 2016 23:44:17 -0800 (PST)
In-Reply-To: <BY2PR03MB4423394CEBFF61B89781BD0F5A90@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB4423394CEBFF61B89781BD0F5A90@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 11 Feb 2016 23:44:17 -0800
Message-ID: <CAAP42hDw1nM2Bvu3OP+qJ=Yu4f3yRLOBZpf94VxdHak6RRtXZg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113ce568c3e892052b8dd64b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/bbJZNWNMcWDtU5lwJRyC9uHH3rE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 07:44:40 -0000

Looks good to me, thanks for the revision.

We are using some of these reference values in production already ("rba"
for example) and are supportive of having a formalized registry. +1 to
adopt this draft.

On Thu, Feb 11, 2016 at 10:07 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Draft -05 <http://tools.ietf.org/html/draft-jones-oauth-amr-values-05>
> incorporates the feedback described below - deleting the request parameter,
> noting that this spec isn't an encouragement to use OAuth 2.0 for
> authentication without employing appropriate extensions, and no longer
> requiring a specification for IANA registration.  I believe that it’s now
> ready for working group adoption.
>
>
>
>                                                           -- Mike
>
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, February 4, 2016 11:23 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Authentication Method Reference Values: Call for
> Adoption Finalized
>
>
>
> Hi all,
>
>
>
> On January 19th I posted a call for adoption of the Authentication Method
> Reference Values specification, see
> http://www.ietf.org/mail-archive/web/oauth/current/msg15402.html
>
>
>
> What surprised us is that this work is conceptually very simple: we define
> new claims and create a registry with new values. Not a big deal but that's
> not what the feedback from the Yokohama IETF meeting and the subsequent
> call for adoption on the list shows. The feedback lead to mixed feelings
> and it is a bit difficult for Derek and myself to judge consensus.
>
>
>
> Let me tell you what we see from the comments on the list.
>
>
>
> In his review at
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg15423.html James
> Manger asks for significant changes. Among other things, he wants to remove
> one of the claims. He provides a detailed review and actionable items.
>
>
>
> William Denniss believes the document is ready for adoption but agrees
> with some of the comments from James. Here is his review:
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg15426.html
>
>
>
> Justin is certainly the reviewer with the strongest opinion. Here is one
> of his posts:
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg15457.html
>
>
>
> Among all concerns Justin expressed the following one is actually
> actionable IMHO: Justin is worried that reporting how a person
> authenticated to an authorization endpoint and encouraging people to use
> OAuth for authentication is a fine line. He believes that this document
> leads readers to believe the latter.
>
>
>
> John agrees with Justin in
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg15448.html that we
> need to make sure that people are not mislead about the intention of the
> document. John also provides additional comments in this post to the
>
> list: http://www.ietf.org/mail-archive/web/oauth/current/msg15441.html
>
> Most of them require more than just editing work. For example, methods
> listed are really not useful,
>
>
>
> Phil agrees with the document adoption but has some remarks about the
> registry although he does not propose specific text. His review is here:
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg15462.html
>
>
>
> With my co-chair hat on: I just wanted to clarify that registering claims
> (and values within those claims) is within the scope of the OAuth working
> group. We standardized the JWT in this group and we are also chartered to
> standardize claims, as we are currently doing with various drafts. Not
> standardizing JWT in the IETF would have lead to reduced interoperability
> and less security. I have no doubts that was a wrong decision.
>
>
>
> In its current form, there is not enough support to have this document as
> a WG item.
>
>
>
> We believe that the document authors should address some of the easier
> comments and submit a new version. This would allow us to reach out to
> those who had expressed concerns about the scope of the document to
> re-evaluate their decision. A new draft version should at least address the
> following issues:
>
>
>
> * Clarify that this document is not an encouragement for using OAuth as an
> authentication protocol. I believe that this would address some of the
> concerns raised by Justin and John.
>
>
>
> * Change the registry policy, which would address one of the comments from
> James, William, and Phil.
>
>
>
> Various other items require discussion since they are more difficult to
> address. For example, John noted that he does not like the use of request
> parameters. Unfortunately, no alternative is offered. I urge John to
> provide an alternative proposal, if there is one. Also, the remark that the
> values are meaningless could be countered with an alternative proposal.
> James wanted to remove the "amr_values" parameter.
>
> Is this what others want as well?
>
>
>
> After these items have been addressed we believe that more folks in the
> group will support the document.
>
>
>
> Ciao
>
> Hannes & Derek
>
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>