Re: [OAUTH-WG] Next steps on the OAuth Assertion Drafts
Brian Campbell <bcampbell@pingidentity.com> Tue, 10 September 2013 18:38 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0664B21F9B66 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2013 11:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwCPX2TdU56a for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2013 11:38:39 -0700 (PDT)
Received: from na3sys009aog112.obsmtp.com (na3sys009aog112.obsmtp.com [74.125.149.207]) by ietfa.amsl.com (Postfix) with ESMTP id 31EF621F9CC6 for <oauth@ietf.org>; Tue, 10 Sep 2013 11:38:38 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob112.postini.com ([74.125.148.12]) with SMTP ID DSNKUi9nLmZrKzEpIJKae56JmR0BVnLDmVat@postini.com; Tue, 10 Sep 2013 11:38:39 PDT
Received: by mail-ie0-f174.google.com with SMTP id k10so8627606iea.33 for <oauth@ietf.org>; Tue, 10 Sep 2013 11:38:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=p7mgWzDR9adNWJPh0FuVxMpulkOxzuj4DaQqnl9+LB0=; b=AeHYEKVNhw42Rdh5vlqPpjAUrdaNnv6vFwTQKSPuvJ7est8/aNwxmyn8yYVc1ONslA +bXQ5Vew58KjwPRTzx7ZTpRkTXaK5aLl11Mm5dBshrDH6ByMXk0zdiTIKNtA8WgAZ4F4 8OJLRvtU1CKJja/kqfP3A3dDfsuqNtRTyzNhWqHSg6qqbTr9oXzlPKshF9VroriY4Xjk qMZk9q3G5NeXOO/+TVKyp/KyFpJZtL+z2cmpqF8pPQ40RVhBihMq/Pew6GtTSL9NTjM1 kLyupIZmuJv1u6wml3S5wJw4bvDYg9xHtcPV/goHKpki9Pt8Ee9g+NAzq0tEu8ZQxQ4M QKog==
X-Gm-Message-State: ALoCoQmErLw7O2hmGi9srqg5/0Q9tzHWjjFbBmrMIiptXZvb3DW7UNiy4MMZ+8oR0j+kVoQExhhnu3T3BZkjzHdBN8MRL7mJqC6/ody3exApyh7AvspgTW1W07ePSB70EFHup3ok8RZaN4vL9Wx4pt2lmwDMm+s/mA==
X-Received: by 10.50.36.5 with SMTP id m5mr11068308igj.3.1378838318255; Tue, 10 Sep 2013 11:38:38 -0700 (PDT)
X-Received: by 10.50.36.5 with SMTP id m5mr11068305igj.3.1378838318110; Tue, 10 Sep 2013 11:38:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.232.229 with HTTP; Tue, 10 Sep 2013 11:38:08 -0700 (PDT)
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA33964@USCHMBX001.nsn-intra.net>
References: <1373E8CE237FCC43BCA36C6558612D2AA33964@USCHMBX001.nsn-intra.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 10 Sep 2013 12:38:08 -0600
Message-ID: <CA+k3eCTGK3iyboVbVWFYcNUMVcKTHJCXoOvY6UoHyjD8JLb8FQ@mail.gmail.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next steps on the OAuth Assertion Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 18:38:44 -0000
Regarding the second item about additional SAML related text - such text already exists in the document in §5 [quoted and linked below]. It's unclear to me what else is being asked for here? I'd like to request that some specific and concrete text be proposed, if anyone believes the current wording is insufficient. from tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-17#section-5 "5. Interoperability Considerations Agreement between system entities regarding identifiers, keys, and endpoints is required in order to achieve interoperable deployments of this profile. Specific items that require agreement are as follows: values for the issuer and audience identifiers, the location of the token endpoint, and the key used to apply and verify the digital signature over the assertion. The exchange of such information is explicitly out of scope for this specification and typical deployment of it will be done alongside existing SAML Web SSO deployments that have already established a means of exchanging such information. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 [OASIS.saml-metadata-2.0-os] is one common method of exchanging SAML related information about system entities." Thanks, Brian On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com> wrote: > Hi all, > > I am trying to wrap up the assertion documents and I took a look at the meeting minutes from the Berlin IETF meeting and the actions are as follows: > > ** John & Torsten: Please post your document review to the list. > > ** Authors of draft-ietf-oauth-saml2-bearer: Please provide the additional SAML related text (as discussed during the meeting) and submit an updated document. > > Ciao > Hannes > > ------- copy from the minutes -------- > > * Assertions (BC) > https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ > https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ > > - WGLC ends by 8/8 > - BL on WGLC comments: talked to MJ about how to achieve interop. > - BL: describe how you could combine specifications to make at least one interoperable specification > - MJ: profiles exists for both SAML and OpenIDC. those are not IETF specifications though > - BL: ok to point to external doc from either of the I-Ds in question > - MJ: very achievable > - BL: all should go to the IESG at the same time to establish context > - PHO: is this for the IESG benefit or for future developers > - BL: the latter > - PHO: talk to Heather Flanagan or the IANA - they have talked about having long-term access to external documents > - BL: ok will consider that - or we can copy text into WG wiki > - BC: interop does not require external profiles actually > - TL: same experience at DT with the JSON-based assertion format - no addl profiles are needed > - MJ: a SAML deployment needs agreement on certain SAML-specific conventions - this is what BL is referring to > - BC: right > - TN: so just refer to the SAML specs > - BL: maybe enough > - JB and TL volunteered to make a review. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Torsten Lodderstedt
- [OAUTH-WG] Next steps on the OAuth Assertion Draf… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Brian Campbell
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Mike Jones
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Hannes Tschofenig
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Brian Campbell