Re: [OAUTH-WG] MTLS vs. DPOP
Benjamin Kaduk <kaduk@mit.edu> Tue, 07 May 2019 18:00 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8021201A8 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 11:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ChVJWCtrPkIi for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 11:00:03 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F34681201BB for <oauth@ietf.org>; Tue, 7 May 2019 11:00:01 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x47HxtAB016484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 May 2019 13:59:57 -0400
Date: Tue, 07 May 2019 12:59:55 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, George Fletcher <gffletch=40aol.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <20190507175954.GM19509@kduck.mit.edu>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com> <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com> <CA+k3eCQWcHoM4OLeuVGEG2FccOXYWVUwnO00LhaEBTvBZXbFog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+k3eCQWcHoM4OLeuVGEG2FccOXYWVUwnO00LhaEBTvBZXbFog@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dHrwrO1YS3QbbgYpAOUBf7UlNOw>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 18:00:05 -0000
On Tue, May 07, 2019 at 11:18:21AM -0600, Brian Campbell wrote: > Practically speaking there's the MTLS draft, which has been sent to the > IESG for publication, has commercial and opensource implementations as well > as production deployments, and is referenced by other prospective standards > and profiles. It's not uncommon to receive off list inquires about the > document status from people involved in those things asking when it will be > "finished". Which is to say that there's a good amount of interest from the > community at large in seeing the MTLS document go to RFC. And it's > relatively close to doing so (as these things go anyway). The DPoP > document, on the other hand, is currently an individual draft submission. > And while it has generated some good interest and discussion, it is only an > individual draft submission and carries the same authority as any other > individual draft submission (see > https://tools.ietf.org/html/draft-abr-twitter-reply-00 for example). I > believe that the MTLS draft should continue on the it's course. And am > interested in seeing where we can take the DPoP work and if the WG wants to > take it on. > > Your point about the "PR" perspective is taken. And I probably shouldn't > even bring these up but that whole situation is exacerbated by the > expired/dormant WG documents like draft-ietf-oauth-token-binding and > draft-ietf-oauth-signed-http-request. Some organizations out there touting I've forgotten the details of those two documents, but in the general case, if there's a WG document that is no longer actively being worked on (or is now believed to be a bad idea), the chairs can pretty easily get a new rev posted that has a "tombstone" notice, like "this document is no longer being worked on" or similar, which may help clarify the situation to external parties without much investment on time or tooling. -Ben > their support for RFC 7800 as a complete solution in the > pop/sender-constrained space aren't helping matters either. So while I > think I hear what you are saying, I don't personally see much of anything > reasonable or actionable that can done about it.
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer