Re: [OAUTH-WG] Shepherd Writeup for draft-ietf-oauth-spop-06.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 18 February 2015 16:46 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376A71A8A70 for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 08:46:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-ODYwQ2lkGL for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 08:46:24 -0800 (PST)
Received: from na3sys009aog116.obsmtp.com (na3sys009aog116.obsmtp.com [74.125.149.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11C571A8A71 for <oauth@ietf.org>; Wed, 18 Feb 2015 08:46:24 -0800 (PST)
Received: from mail-ig0-f180.google.com ([209.85.213.180]) (using TLSv1) by na3sys009aob116.postini.com ([74.125.148.12]) with SMTP ID DSNKVOTB356EwnT4KW+jAyZUHLF4NWPdSlwr@postini.com; Wed, 18 Feb 2015 08:46:24 PST
Received: by mail-ig0-f180.google.com with SMTP id b16so3076005igk.1 for <oauth@ietf.org>; Wed, 18 Feb 2015 08:46:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OWNEcSZGLyJ6LiRflqhkgXERcthGah/Wg5+AgjDvsuA=; b=DNVj3isEnj2mAantowoaWAGyeR5PQg+1LPajWNXENHs82cYCwID5ALQSQ1VLyxk+iF cegk5TZBEon3t6xuabIP/VFGOpVDQU46BEnITnCbGpKpOs4Ixv9ZKadI2p5sB7AdCDfB RMfegvxVMyUxtRwnfEpX9+KYY7hGrvCu07LaA+Cwt0kdumIA/g7PLEPffWiBnhG5mNSW 5fGwul5RMtdcJ9szC2pTYO9vudS95ZPx6GQvtSqDqRbNZuCcTg+MuS80iLGUee0YCR8F gX1Mmcu6Yuj1BWxovhf8XwsrrFm6Vyc8WFBO0/duDwPXU9EeICdc/K9cg+Xb7S0gaFMJ dvOA==
X-Received: by 10.50.32.33 with SMTP id f1mr1336707igi.9.1424277983454; Wed, 18 Feb 2015 08:46:23 -0800 (PST)
X-Gm-Message-State: ALoCoQlUvhsE6APX/yF1gMQU2ejYxs3w0yr+9VZJ8AuUmAmjQcE7Gol8s3fb62/bdLihlD2tBtHmRAOgnM6YzVuGXNshAjegUWMO0ahBs7H0fMCoHfqvU6gtZRyBgFkjLij4v1N8bxU6
X-Received: by 10.50.32.33 with SMTP id f1mr1336684igi.9.1424277983301; Wed, 18 Feb 2015 08:46:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.107.105 with HTTP; Wed, 18 Feb 2015 08:45:53 -0800 (PST)
In-Reply-To: <54E4B0AD.10801@gmx.net>
References: <54C7BBA4.4030702@gmx.net> <CA+k3eCQCPiAR0s1cX5mC=h2O-5ptVTVq6=cVKHFKu_Adq8bJTg@mail.gmail.com> <2E3D2EE7-8F5F-452D-880A-D62A513AC853@lodderstedt.net> <54E370F9.8060209@gmx.net> <17faabb6e724fb54f3cb8060a3d9cb08@lodderstedt.net> <54E4B0AD.10801@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 18 Feb 2015 09:45:53 -0700
Message-ID: <CA+k3eCThg3TxRtCuEwGGWG07yWZD82i87fUQjDrKs3sMmd5frg@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=047d7b10ce3d41b9cb050f5f8f20
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/gpO2ide1RCtFqVWYEbHYl_0uRFo>
Cc: oauth <oauth@ietf.org>, "naa@google.com >> Naveen Agarwal" <naa@google.com>
Subject: Re: [OAUTH-WG] Shepherd Writeup for draft-ietf-oauth-spop-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 16:46:29 -0000

There's a bit of MTI talk tucked into
https://tools.ietf.org/html/draft-ietf-oauth-spop-10#section-4.4.1 that
perhaps needs to be expanded and/or placed somewhere else.

On Wed, Feb 18, 2015 at 8:33 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Thanks for the info, Torsten.
>
> Your feedback raises an interesting question, namely what functionality
> the parties have to implement to claim conformance to the specification.
>
> Quickly scanning through the specification didn't tell me whether it is
> OK to just implement the plain mode or whether both modes are
> mandatory-to-implement. We have to say something about this.
>
> Ciao
> Hannes
>
>
> On 02/18/2015 02:16 PM, torsten@lodderstedt.net wrote:
> > Hi Hannes,
> >
> > our implementation supports the "plain" mode only. We just verified
> > compliance of our implementation with the current spec. As the only
> > deviation, we do not enforce the minimum length of 43 characters of the
> > code verifier.
> >
> > kind regards,
> > Torsten.
> >
> > Am 17.02.2015 17:48, schrieb Hannes Tschofenig:
> >> Hi Torsten,
> >>
> >> does this mean that your implementation is not compliant with the
> >> current version anymore or that you haven't had time to verify whether
> >> there are differences to the earlier version?
> >>
> >> Ciao
> >> Hannes
> >>
> >>
> >> On 01/31/2015 05:34 PM, Torsten Lodderstedt wrote:
> >>> Deutsche Telekom also implemented an early version of the draft last
> >>> year.
> >>>
> >>>
> >>>
> >>> Am 30.01.2015 um 18:50 schrieb Brian Campbell
> >>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>:
> >>>
> >>>>
> >>>> On Tue, Jan 27, 2015 at 9:24 AM, Hannes Tschofenig
> >>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> >>>>
> >>>>
> >>>>     1) What implementations of the spec are you aware of?
> >>>>
> >>>>
> >>>> We have an AS side implementation of an earlier draft that was
> >>>> released in June of last year:
> >>>>
> http://documentation.pingidentity.com/pages/viewpage.action?pageId=26706844
> >>>>
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>>> https://www.ietf.org/mailman/listinfo/oauth
>
>