Re: [OAUTH-WG] Call for Adoption
Justin Richer <jricher@mit.edu> Wed, 20 January 2016 13:53 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E02F1A894A for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 05:53:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkiASVJJQdBT for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 05:53:41 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819321A8942 for <oauth@ietf.org>; Wed, 20 Jan 2016 05:53:41 -0800 (PST)
X-AuditID: 1209190e-f79046d0000036c0-7a-569f9163451a
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 99.FB.14016.3619F965; Wed, 20 Jan 2016 08:53:39 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u0KDrdME009293; Wed, 20 Jan 2016 08:53:39 -0500
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0KDraMi005261 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 20 Jan 2016 08:53:38 -0500
To: Nat Sakimura <sakimura@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
References: <569E2076.2090405@gmx.net> <CABzCy2D8BvJkLCc543=pEdE4FZa+p1ekyuMs=TtVSnSCrTrviw@mail.gmail.com> <CABzCy2D1gca2OR2qp_gakThjkoLGfaZAo=GE85Lz4+3TrPbFVQ@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <569F915D.8020806@mit.edu>
Date: Wed, 20 Jan 2016 08:53:33 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CABzCy2D1gca2OR2qp_gakThjkoLGfaZAo=GE85Lz4+3TrPbFVQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030703070308030606070201"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IRYrdT102eOD/M4P0dE4ulO++xWpx8+4rN 4sytFYwOzB47Z91l91i8aT+bx5IlP5kCmKO4bFJSczLLUov07RK4MhYtb2QvmBpVcfTlQqYG xmOOXYycHBICJhIbdrSwQ9hiEhfurWcDsYUEFjNJtK4XgbA3Mkp86g3oYuQCsm8zSTTu62IG SQgLaErsv/uGBSQhItDJKLHv/x1WiKotjBKzm1ezglSxCahKTF/TwgRi8wqoSSzqOQXWzQIU //XlO5gtKhAjcbHzCFSNoMTJmU9YQGxOgUCJnqU9YHFmgTCJD596WScw8s9CUjYLSQrCNpPo 2trFCGHLSzRvnc0MYatJ3N52lR1ZfAEj2ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdY73czBK9 1JTSTYygcOeU5NvB+PWg0iFGAQ5GJR7eiNZ5YUKsiWXFlbmHGCU5mJREeVM65ocJ8SXlp1Rm JBZnxBeV5qQWH2KU4GBWEuHN7gXK8aYkVlalFuXDpKQ5WJTEeXd1zA0TEkhPLEnNTk0tSC2C ycpwcChJ8P7uB2oULEpNT61Iy8wpQUgzcXCCDOcBGn4epIa3uCAxtzgzHSJ/ilFRSpx3MUhC ACSRUZoH1wtKRwlvD5u+YhQHekWY128CUBUPMJXBdb8CGswENHivGdjgkkSElFQDY97Mp/PO blVL23S5qlvyX2pd4N8a7gSzX48fNj4Td7sumdR8+5r4Ga4zvR93L4k5KvOn3Fz49SMptSXl otdinbi3KpSVty+S0148Jz34oadsgqPEfv+iPdUckRvXTn/cMf9h7rf0lJj31SKJHIutbv4J Kb/FmPM5YE/KhlNtG/yO5cqFzfm5RomlOCPRUIu5qDgRAL4Tg28iAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/l79vL1zmWKTUJj7awZlUGojaAYA>
Subject: Re: [OAUTH-WG] Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 13:53:44 -0000
+1 Inline discovery and pre-configured discovery (ie, .well-known) should at the very least be compatible and developed together. It's the pre-configured discovery document that's at the root of the mix-up attack in the first place. -- Justin On 1/19/2016 10:30 PM, Nat Sakimura wrote: > Just to give more context, at IETF 94, I have done a presentation on > discovery. > > According to the minutes, > > (f) Discovery (Nat) > > Nat explains his document as an example of the work that has to be done > in the area of discovery, which is a topic that has been identified > as necessary for interoperability since many years but so far there > was not time to work on it. Mike, John and Nat are working on a new > document that describes additional discovery-relevant components. > > Poll: 19 for / zero against / 4 persons need more information. > The document discussed there was > https://tools.ietf.org/html/draft-sakimura-oauth-meta-05. This is a > simple (only 1-page!) but a very powerful document that nudges towards > HATEOAS which is at the core of RESTful-ness. It also mitigates the > Mix-up attack without introducing the concept of issuer which is not > in RFC6749. It is also good for selecting different endpoints > depending on the user authentication and authorization results and > more privacy sensitive than pre-announced Discovery document. It also > allows you to find to which protected resource endpoint you can use > the access token against. > > In the last sentence of the minutes, it talks about "a new document > that describes additional discovery-relevant components". This is > https://tools.ietf.org/html/draft-jones-oauth-discovery-00. It went > for the call for adoption. However, it is only a half of the story. I > believe https://tools.ietf.org/html/draft-sakimura-oauth-meta-05 that > was discussed at IETF 94 and had support there should be adopted as well. > > Nat Sakimura > > > > > 2016年1月20日(水) 12:05 Nat Sakimura <sakimura@gmail.com > <mailto:sakimura@gmail.com>>: > > Thanks Hannes. > > I did not find > https://tools.ietf.org/html/draft-sakimura-oauth-meta-05, which > was discussed in Yokohama, and was largely in agreement if my > recollection is correct. Why is it not in the call for adoption? > > > > 2016年1月19日(火) 20:39 Hannes Tschofenig > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>: > > Hi all, > > we have submitted our new charter to the IESG (see > http://www.ietf.org/mail-archive/web/oauth/current/msg15379.html) > and > since some IESG members like to see an updated list of > milestones as > well. For this reason, based on a suggestion from Barry, we > are also > starting a call for adoption concurrently with the review of > the charter > text by the IESG. > > We will post separate mails on the individual documents. Your > feedback > is important! Please take the time to look at the documents > and provide > your feedback. > > Ciao > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Call for Adoption Hannes Tschofenig
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Justin Richer
- Re: [OAUTH-WG] Call for Adoption William Denniss
- Re: [OAUTH-WG] Call for Adoption Mike Jones
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Mike Jones
- Re: [OAUTH-WG] Call for Adoption Justin Richer
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Mike Jones
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption William Denniss
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Brian Campbell
- Re: [OAUTH-WG] Call for Adoption Mike Jones
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Brian Campbell
- Re: [OAUTH-WG] Call for Adoption George Fletcher
- Re: [OAUTH-WG] Call for Adoption Brian Campbell
- Re: [OAUTH-WG] Call for Adoption George Fletcher
- Re: [OAUTH-WG] Call for Adoption Brian Campbell
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Hans Zandbelt
- Re: [OAUTH-WG] Call for Adoption sakimura
- Re: [OAUTH-WG] Call for Adoption John Bradley
- Re: [OAUTH-WG] Call for Adoption George Fletcher
- Re: [OAUTH-WG] Call for Adoption Brian Campbell
- Re: [OAUTH-WG] Call for Adoption Antonio Sanso
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Justin Richer
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption Justin Richer
- Re: [OAUTH-WG] Call for Adoption John Bradley
- Re: [OAUTH-WG] Call for Adoption Nat Sakimura