Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

Roland Hedberg <roland.hedberg@umu.se> Thu, 04 February 2016 08:17 UTC

Return-Path: <roland.hedberg@umu.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E9FC1A1B27 for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 00:17:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPUzoXyizb1w for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 00:17:02 -0800 (PST)
Received: from smtp5.umu.se (smtp5.umu.se [130.239.8.142]) by ietfa.amsl.com (Postfix) with ESMTP id 458271A1B24 for <oauth@ietf.org>; Thu, 4 Feb 2016 00:17:02 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,393,1449529200"; d="asc'?scan'208";a="86016099"
X-IPAS-Result: A2CoBAClB7NW/84N74JeGQEBAQEPAQEBAYJffW0GiFWycwIFFwqFbAKCBgEBAQEBAYELhEEBAQEBAgEBAQEaBksLBQcEAgEIDgMBAwEBAScDAgInCxQDBggCBA4FCQWHeAMKCAENsT2PHQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ0IhhKBbQiCQoIoD4IBMoIQOBMYgQ8FlnGCfIFjaogLgVSEQohUim6DUmKDZGqHLgF7AQEB
Received: from umu-ex06.ad.umu.se (HELO mail.ad.umu.se) ([130.239.13.206]) by smtp5.umu.se with ESMTP; 04 Feb 2016 09:16:36 +0100
Received: from UMU-EX03.ad.umu.se (2002:82ef:dcb::82ef:dcb) by UMU-EX06.ad.umu.se (2002:82ef:dce::82ef:dce) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 4 Feb 2016 09:16:36 +0100
Received: from UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133]) by UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133%24]) with mapi id 15.00.1130.005; Thu, 4 Feb 2016 09:16:36 +0100
From: Roland Hedberg <roland.hedberg@umu.se>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
Thread-Index: AQHRXyRdt6Yq8OKEIECHBgsogZ0EYA==
Date: Thu, 4 Feb 2016 08:16:36 +0000
Message-ID: <E9268B31-587C-40C9-8389-741E7D058B4C@adm.umu.se>
References: <569E2276.5070407@gmx.net> <8A2DAF46-BAF7-439D-8FE3-65EA2DA8E692@mit.edu> <47F7D0BA-8E98-4E37-BA84-D128C0FD8396@ve7jtb.com> <BY2PR03MB442067CA10AADEAA3E974A6F5C20@BY2PR03MB442.namprd03.prod.outlook.com> <C10A8618-9939-4B04-845E-61C95F5ECAA4@ve7jtb.com>
In-Reply-To: <C10A8618-9939-4B04-845E-61C95F5ECAA4@ve7jtb.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 2.5.2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.239.200.165]
Content-Type: multipart/signed; boundary="Apple-Mail=_616D18FC-C569-459D-8985-79F2DCE96D99"; protocol="application/pgp-signature"; micalg=pgp-sha256
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iVfSOb6kpD6WJ9qL9PQgdqRIahg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 08:17:05 -0000

+1

> 20 jan 2016 kl. 23:07 skrev John Bradley <ve7jtb@ve7jtb.com>om>:
> 
> So if this is scoped to be a registry for the values of a JWT claim then it is fine.
> We should discourage people from thinking that it is part of the OAuth protocol vs JWT claims.
> 
> John B.
> 
>> On Jan 20, 2016, at 6:29 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>> 
>> The primary purpose of the specification is to establish a registry for "amr" JWT claim values.  This is important, as it increases interoperability among implementations using this claim.
>> 
>> It's a fair question whether "requested_amr" should be kept or dropped.  I agree with John and James that it's bad architecture.  I put it in the -00 individual draft to document existing practice.  I suspect that should the draft is adopted by the working group as a starting point, one of the first things the working group will want to decide is whether to drop it.  I suspect that I know how this will come out and I won't be sad, architecturally, to see it go.
>> 
>> As to whether this belongs in the OAuth working group, long ago it was decided that JWT and JWT claim definitions were within scope of the OAuth working group.  That ship has long ago sailed, both in terms of RFC 7519 and it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, which defines a new JWT claim, and is in the RFC Editor Queue.  Defining a registry for values of the "amr" claim, which is registered in the OAuth-established registry at http://www.iana.org/assignments/jwt, is squarely within the OAuth WG's mission for the creation and stewardship of JWT.
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
>> Sent: Wednesday, January 20, 2016 12:44 PM
>> To: Justin Richer <jricher@mit.edu>
>> Cc: <oauth@ietf.org> <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
>> 
>> I see your point that it is a fine line reporting how a person authenticated to a Authorization endpoit (it might be by SAML etc) and encouraging people to use OAuth for Authentication.
>> 
>> We already have the amr response in connect.  The only thing really missing is a registry.  Unless this is a sneaky way to get requested_amr into Connect?
>> 
>> John B.
>>> On Jan 20, 2016, at 5:37 PM, Justin Richer <jricher@mit.edu> wrote:
>>> 
>>> Just reiterating my stance that this document detailing user authentication methods has no place in the OAuth working group.
>>> 
>>> — Justin
>>> 
>>>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> this is the call for adoption of Authentication Method Reference
>>>> Values, see
>>>> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03
>>>> 
>>>> Please let us know by Feb 2nd whether you accept / object to the
>>>> adoption of this document as a starting point for work in the OAuth
>>>> working group.
>>>> 
>>>> Note: The feedback during the Yokohama meeting was inconclusive,
>>>> namely
>>>> 9 for / zero against / 6 persons need more information.
>>>> 
>>>> You feedback will therefore be important to find out whether we
>>>> should do this work in the OAuth working group.
>>>> 
>>>> Ciao
>>>> Hannes & Derek
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth