Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Anthony Nadalin <tonynad@microsoft.com> Thu, 02 February 2017 00:27 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16854129619; Wed, 1 Feb 2017 16:27:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulvTR7qy2HwW; Wed, 1 Feb 2017 16:27:15 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0117.outbound.protection.outlook.com [104.47.32.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9C101294F0; Wed, 1 Feb 2017 16:27:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QAR8gYyrYwmLMlmG6wP6MjbfegQ+DDQ7p3QCtMwxYYk=; b=Zqz0DzfhytwSTICykW9GCx73z5gr/3wPSztrOsrtO4E8YWXMX72q3sz1ZsFPCGGQvf4ktn4Prb+oVRw+KY79Zlkgw6B1+qK6moF7lo7HJ5H7QfVa+StawiVBbU5fvyqcsKspyFfH3DUjmRsQBaMkfpNy3AEGu3RGeIVyHE3CHXQ=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN2PR03MB2368.namprd03.prod.outlook.com (10.166.210.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.874.12; Thu, 2 Feb 2017 00:27:12 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0860.026; Thu, 2 Feb 2017 00:27:12 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mike Jones <Michael.Jones@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97GorBcOHuDmkGNgYGkSGkYdqFUP6sAgAABIQCAACDtgIAAWs6AgAAcifCAAAPdgIAAAKeAgAAArSA=
Date: Thu, 02 Feb 2017 00:27:12 +0000
Message-ID: <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <c0e62125-14e6-2390-87e3-72a2422f732f@bogus.com> <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie> <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie>
In-Reply-To: <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
x-originating-ip: [131.107.159.71]
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-ms-office365-filtering-correlation-id: 0477e73d-d6ea-4c15-fa00-08d44b023b5c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:SN2PR03MB2368;
x-microsoft-exchange-diagnostics: 1; SN2PR03MB2368; 7:sM4wlz+BC7v25eZmS0u2Et0NH3N3qwkB411bIyYQ6VtWO4a13YJs+XDGzv2a2zM35wyxr6oHLa/QT3LiPYWLEEbGchk94Mif2xOIl/mjlChMbA1Wx5TKZC2FAQeP34yNT05pVCzmiVOk2JVGRHVQKQRdnHC9oDBXiFiePAC86XjMNh/9EsHYruMrSHYS40OduONvq9PLXCP4Z18Vd/3hvmIu5k3E/9HmwfmjmPgNiHM1fmV4xWXooGrEqaMhAU2RpJl7YmtjGZbCVXxCw/lFulHgMrZhxR/5TbqLCzUh4WqTLFL12mEPVL3EhWRsT46zHMw1boFG/t74dSyVNQl+9CWfGmEv074lBmZj4uFc39G1HUhEOy7u+xPfPJe3oC6V/FKGNJ0DzzS8LCANaa+ZYJxiEzMa9pWTbaNd/0r+QBIs0KfdJlbB61TXgcZd3qqYqPLppY7Gj74fVtCzC0ietNsZO324GjwspQQr4K/anYKihugNYpVznvbD0HOyiyaQ/274YAlCHx5A+AYDpSiQUIL5W2WK1PitqHBdCN/Wg3Ek45tLIITsDjAZCGgE/5Rd
x-microsoft-antispam-prvs: <SN2PR03MB2368E16D7C8D6624A81F3B7DA64C0@SN2PR03MB2368.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123564025)(20161123560025)(20161123558025)(20161123562025)(6072148); SRVR:SN2PR03MB2368; BCL:0; PCL:0; RULEID:; SRVR:SN2PR03MB2368;
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39450400003)(39410400002)(39860400002)(39850400002)(51444003)(51914003)(24454002)(13464003)(189002)(40224003)(377454003)(199003)(77096006)(3846002)(33656002)(86362001)(2421001)(25786008)(99286003)(106356001)(97736004)(106116001)(189998001)(105586002)(5001770100001)(8936002)(76176999)(81156014)(81166006)(10290500002)(38730400001)(50986999)(86612001)(8990500004)(5005710100001)(54356999)(8676002)(6506006)(122556002)(6436002)(10090500001)(2561002)(229853002)(68736007)(230783001)(66066001)(551544002)(966004)(93886004)(1511001)(3660700001)(4326007)(6116002)(9686003)(53936002)(101416001)(92566002)(5660300001)(102836003)(6306002)(3280700002)(3900700001)(55016002)(7736002)(305945005)(74316002)(54906002)(2900100001)(7696004)(2906002)(2950100002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR03MB2368; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2017 00:27:12.1266 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2368
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hMJM6S-G9PFOvAq49j90EB2BatI>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 00:27:18 -0000
We have interoped between FIDO authenticators vendors and Windows Hello -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, 2017 4:24 PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS) On 02/02/17 00:21, Mike Jones wrote: > Thanks, Tony. I can add that reference. > > Stephen, the sets of initial values were chosen from those used in > practice by Microsoft and Google in real deployments. Genuine questions: do you aim to have interop between those deployments? What if I wanted to write code that'd interop with msft or google? S. > > About "otp", there are existing use cases for indicating that an OTP > was used. I'm not aware of any of these use cases where the > distinction between TOTP and HOTP is important. Thus, having "otp" > now makes sense, where having "hotp" and "totp" now doesn't. > > Stephen, this may seem like splitting hairs, but the registry > instructions for "Specification Document(s)" are about having a > reference for the document where the Authentication Method Reference > Name (such as "otp") is defined. In all cases for the initial > values, this is the RFC-to-be, so the registry instructions are > satisfied. If someone were, for instance, to define the string > "hotp", it would be incumbent on the person requesting its > registration to provide a URL to the document where the string "hotp" > is defined. Also having a reference to RFC 4226 in that document > would be a good thing, but that isn't what the registry instructions > are about. > > All that said, I can look at also finding appropriate references for > the remaining values that don't currently have them. (Anyone got a > good reference for password or PIN to suggest, for instance?) > > -- Mike > > -----Original Message----- From: Anthony Nadalin Sent: Wednesday, > February 1, 2017 4:10 PM To: Stephen Farrell > <stephen.farrell@cs.tcd.ie>; Mike Jones > <Michael.Jones@microsoft.com>; joel jaeggli <joelja@bogus.com>; The > IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org; > draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: RE: > [OAUTH-WG] Stephen Farrell's Discuss on > draft-ietf-oauth-amr-values-05: (with DISCUSS) > > NIST asked for the addition of IRIS (as they are seeing more use of > IRIS over retina due to the accuracy of iris) as they have been > doing significant testing on various iris devices and continue to do > so, here is a report that NIST released > http://2010-2014.commerce.gov/blog/2012/04/23/nist-iris-recognition-report-evaluates-needle-haystack-search-capability.html > > > -----Original Message----- From: Stephen Farrell > [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, 2017 > 2:26 PM To: Mike Jones <Michael.Jones@microsoft.com>; joel jaeggli > <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc: > oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org; > oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on > draft-ietf-oauth-amr-values-05: (with DISCUSS) > > > Hi Mike, > > On 01/02/17 17:00, Mike Jones wrote: >> Thanks for the discussion, Stephen. >> >> To your point about "otp", the working group discussed this very >> point. They explicitly decided not to introduce "hotp" and "totp" >> identifiers because no one had a use case in which the distinction >> mattered. > > Then I'm not following why adding "otp" to the registry now is a good > plan. > > If there's a use-case now, then adding an entry with a good reference > to the relevant spec seems right. > > If there's no use-case now, then not adding it to the registry seems > right. (Mentioning it as a possible future entry would be fine.) > > I think the same logic would apply for all the values that this spec > adds to the registry. Why is that wrong? > >> Others can certainly introduce those identifiers and register them >> if they do have such a use case, once the registry has been >> established. But the working group wanted to be conservative about >> the identifiers introduced to prime the registry, and this is such >> a case. >> >> What identifiers to use and register will always be a balancing >> act. You want to be as specific as necessary to add practical and >> usable value, but not so specific as to make things unnecessarily >> brittle. > > Eh... don't we want interop? Isn't that the primary goal here? > >> While some might say there's a difference between serial number >> ranges of particular authentication devices, going there is >> clearly in the weeds. On the other hand, while there used to be an >> "eye" identifier, Elaine Newton of NIST pointed out that there are >> significant differences between retina and iris matching, so "eye" >> was replaced with "retina" and "iris". Common sense informed by >> actual data is the key here. > > That's another good example. There's no reference for "iris." If that > is used in some protocol, then what format(s) are expected to be > supported? Where do I find that spec? If we can answer that, then > great, let's add the details. If not, then I'd suggest we omit "iris" > and leave it 'till later to add an entry for that. And again, > including text with "iris" as an example is just fine, all I'm asking > is that we only add the registry entry if we can meet the same bar > that we're asking the DE to impose on later additions. > > And the same for all the others... > > Cheers, S. > > >> >> The point of the registry requiring a specification reference is >> so people using the registry can tell where the identifier is >> defined. For all the initial values, that requirement is satisfied, >> since the reference will be to the new RFC. I think that aligns >> with the point that Joel was making. >> >> Your thoughts? >> >> -- Mike >> >> -----Original Message----- From: OAuth >> [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell Sent: >> Wednesday, February 1, 2017 7:03 AM To: joel jaeggli >> <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc: >> oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org; >> oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss >> on draft-ietf-oauth-amr-values-05: (with DISCUSS) >> >> >> >> On 01/02/17 14:58, joel jaeggli wrote: >>> On 1/31/17 8:26 AM, Stephen Farrell wrote: >>>> Stephen Farrell has entered the following ballot position for >>>> draft-ietf-oauth-amr-values-05: Discuss >>>> >>>> When responding, please keep the subject line intact and reply >>>> to all email addresses included in the To and CC lines. (Feel >>>> free to cut this introductory paragraph, however.) >>>> >>>> >>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>> more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found >>>> here: >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> >>>> > >>>> - >>>> DISCUSS: >>>> --------------------------------------------------------------------- >>>> >>>> > >>>> - >>>> >>>> This specification seems to me to break it's own rules. You >>>> state that registrations should include a reference to a >>>> specification to improve interop. And yet, for the strings >>>> added here (e.g. otp) you don't do that (referring to section 2 >>>> will not improve interop) and there are different ways in which >>>> many of the methods in section 2 can be done. So I think you >>>> need to add a bunch more references. >>> >>> Not clear to me that the document creating the registry needs to >>> adhere to the rules for further allocations in order to >>> prepoulate the registry. that is perhaps an appeal to future >>> consistency. >> >> Sure - I'm all for a smattering of inconsistency:-) >> >> But I think the lack of specs in some of these cases could impact >> on interop, e.g. in the otp case, they quote two RFCs and yet only >> have one value. That seems a bit broken to me, so the discuss isn't >> really about the formalism. >> >> S. >> >> >>>> >>>> >>>> >>> >>> >> >
- [OAUTH-WG] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… joel jaeggli
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Anthony Nadalin
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Manger, James
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones