IETF Logo Mail Archive

Re: [OAUTH-WG] A Proposal for Dynamic Registration

Phil Hunt <phil.hunt@oracle.com> Mon, 12 August 2013 18:43 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45C121F9EE0 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.963
X-Spam-Level:
X-Spam-Status: No, score=-5.963 tagged_above=-999 required=5 tests=[AWL=0.636, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNWDug3DTIDY for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:43:20 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id AA6F821F9ED2 for <oauth@ietf.org>; Mon, 12 Aug 2013 11:43:20 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CIhJQQ004902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:20 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CIhJZG023921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:19 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CIhJwi023903 for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:19 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 11:43:18 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5208EC80.3060707@mitre.org>
Date: Mon, 12 Aug 2013 20:43:17 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org>
To: "oauth@ietf.org WG" <oauth@ietf.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 18:43:26 -0000

Inlineā€¦

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:

> I think it's very important that we put *some* stake in the ground for the likes of OIDC, BB+, UMA, and the other higher-level protocols and systems that are looking toward us for Dyn Reg now. They weren't, previously -- all of these had mutually incompatible registration systems, but the work we've done so far with Dyn Reg has made a system that everyone can use. If we don't declare a baseline, and do so soon, then I fully believe that these groups will either fracture unnecessarily, or they'll ignore the IETF. Or both.

[PH] Your position here indicates to me that there is not a lot of natural consensus between OIDC, BB+, UMA and others. If these groups are aligning solely because of moral pressure to have a single standard -- which you seem to imply by the need to "put a stake in the ground", it suggests the technical proposal is not right yet.

Despite your disparaging of SCIM, I don't think that's the issue.  Whether SCIM or custom API, the Dyn Reg model places too much complexity solely on the client to registration endpoint relationship.

For example, the information content of what the client is asserting is *not* dynamic - only the act of registration is. The client app is for the most part, "fixed", coded in a particular way for use with a specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond just issuing a client_id and exchange all oauth protocol information on the assumption any value might change.  This is a very complex approach.

Then there is the issue of needing full CRUD support, I have not bought into the need for apps to be able to update registration.  Why would they do this?  We do we need de-registration, wouldn't Torsten's revocation draft suffice?

The reason I think the assertion model might be a better path, is that it assumes a larger multi-party flow which moves complexity away from the registration endpoint to the point that in most cases a simple cert swap is all that is needed from the clients perspective.

When Tony and I put forward the SCIM variant, we thought that might be a compromise.  Still after putting it forward, I now feel the same way about it as I do the Dyn Reg draft.  What is useful from it, is the notion of defining a software statement which can be used to simplify the registration process greatly.

> I'll leave it to the chairs to decide if this gets tagged "experimental" or "standards", but I think that we're doing the world a disservice by not shipping what we have.
> 
> -- Justin
> 
> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>> 
>> <snip>
>>>  - OAuth Dynamic Registration
>>>  - SCIM-based OAuth Dynamic Registration
>>>  - Software Statements for OAuth Dynamic Registration
>>> 
>> This thread makes me think we should break out the EXPERIMENTAL
>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>> various groups do what they're gona do (which they'll do anyway) and
>> the the chips fall where they may.
>> 
>> Tony is right in interpreting the discussions in Berlin as quite fractured.
>> Pushing for standards track seems premature.
>> 
>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
>> be as quick as a couple of I-Ds describing the outcome of the
>> implementation and deployment work that will happen anyway (as
>> you so correctly observe) after which the WG decides how to move
>> forward.
>> 
>> Since bb+ and openidc will do dynreg anyway the document track
>> doesn't really matter which means the usual "vendors won't implement
>> unless its a real RFC"-argument doesn't apply here anyway.
>> 
>>         Cheers Leif
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email