IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 28 August 2013 16:34 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED1D21F9929 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH3YxGO7Nxak for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:34:14 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id C569821F8895 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:34:13 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id x54so5476739wes.32 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:34:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=cblKWspApPxzhzTjUsykxS8lmeBulShExULd0zSGfVY=; b=FHeN3o9jfxyrG++yXPOYghT086UD3iAcjgmoDbjoVVzQpbti5/VpXEr9uBkGiOCg+2 BgaKkAoH7sp7LOMcwXOe9TNOv5UcKzoMnRjAHhMo9wU6ZD2yW/4ZYozOFeMSRGUHOAuD tCCMzQvNaUrrX4WSff9UkdZdE47U159b3upr0c/qWZX9jwrhL+WZHsplwzy+eFcbMMb9 EcId5bCSGGOVo82wTo6drLy2gZ6CxiLccY9RTtkDiXKayrOhU0NSdSK9ioJm6YEsToGm 5Fy5Cd6bvlH2m4qLD8lr1x1tbYP/dLRLDg5xZNshZ3XsfCB3s9ENDuCQ8JaqyaWEbNZ3 JNbQ==
X-Received: by 10.194.109.68 with SMTP id hq4mr21532456wjb.12.1377707652899; Wed, 28 Aug 2013 09:34:12 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id a8sm6273550wie.6.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:34:12 -0700 (PDT)
Message-ID: <521E2682.4020108@gmail.com>
Date: Wed, 28 Aug 2013 17:34:10 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2086.1010007@mitre.org> <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
In-Reply-To: <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:34:15 -0000

On 28/08/13 17:20, Phil Hunt wrote:
> This is the key problem with dyn reg.
>
> You have to recognize software as distinct entities shared by clients as instances. Statements can be by a developer, an organization or an api owner that approves clients in the same way google or facebook does today.
>
> The approval happens once per client software or can even happen once per publisher or developer depending on trust.
>
> Dyn reg doesn't work in practice because each registration has to be approved individually yet the protocol doesn't support approvals. It must be immediate.
>
> This is why the question of who has used this in production matters. Implementation of dyn reg is easy. Operating it looks workable only in small installations.

What concerns me is that while it is obviously important that large 
installations should be supported, there does not seem to be much 
motivation to worry about the small installations. But the thing is, 
without the small installations, the possibility is OAuth apps will be 
developed by developers working for large OAuth providers only.

I'm sorry, I realize it is not much in scope of this discussion, my 
comment, but it worries me how strong a push is to get the JWT or SAML 
assertions becoming the main 'artifacts' of OAuth.

Cheers, Sergey

>
> Phil
>
> On 2013-08-28, at 9:08, Justin Richer <jricher@mitre.org> wrote:
>
>> I set up an auth server to protect my API, my users download a piece of software that speaks the API to access their data. Where is my server supposed to get the list of "approved" software classes from? Are you assuming a central registry per API? Or is it going to be provider-specific? If the latter, why wouldn't you just do manual registration and not use dynamic registration at all? After all, manual registration will always still be a valid option.
>>
>> -- Justin
>>
>> On 08/28/2013 12:02 PM, Phil Hunt wrote:
>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>
>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>
>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme position.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>
>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>
>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>
>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>
>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>
>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>
>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>
>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>
>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>
>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>
>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>> Meeting Number: 703 230 586
>>>>>>> Meeting Password: oauth
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the online meeting
>>>>>>> -------------------------------------------------------
>>>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>> 2. Enter your name and email address.
>>>>>>> 3. Enter the meeting password: oauth
>>>>>>> 4. Click "Join Now".
>>>>>>>
>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>
>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the teleconference only
>>>>>>> -------------------------------------------------------
>>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>>> Conference Code: 944 910 5485
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.30.2 | Report a Bug | By Email | System Status