Re: [OAUTH-WG] [internet-drafts@ietf.org] New Version Notification for draft-yu-oauth-token-translation-01.txt

Justin Richer <jricher@mit.edu> Mon, 01 December 2014 02:15 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E661A00F7 for <oauth@ietfa.amsl.com>; Sun, 30 Nov 2014 18:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI9DHLT_8VN0 for <oauth@ietfa.amsl.com>; Sun, 30 Nov 2014 18:15:28 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65A691A00AE for <oauth@ietf.org>; Sun, 30 Nov 2014 18:15:28 -0800 (PST)
X-AuditID: 12074425-f798e6d000000d1a-fa-547bcf3f5ab1
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id CB.8F.03354.F3FCB745; Sun, 30 Nov 2014 21:15:27 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sB12FQAI007410; Sun, 30 Nov 2014 21:15:26 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sB12FMH8021138 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 30 Nov 2014 21:15:25 -0500
Content-Type: multipart/signed; boundary="Apple-Mail=_91E446E5-80FE-4509-9021-964CF3CB83FE"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <ldvsih0yvpu.fsf@sarnath.mit.edu>
Date: Sun, 30 Nov 2014 21:15:21 -0500
Message-Id: <1E83C7F4-BD75-4038-8FD3-E374A02713AF@mit.edu>
References: <ldvsih0yvpu.fsf@sarnath.mit.edu>
To: Tom Yu <tlyu@mit.edu>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRmVeSWpSXmKPExsUixCmqrWt/vjrEYPZUfouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr49fB2SwF90QrbjZlNTAeEupi5OSQEDCRePJrOzOELSZx4d56 ti5GLg4hgcVMEtOuboByNjJKnNu/hgXCuckk8af7GCOIwywwiVHiwrMHLCD9vAIGEkt2bQKb JSxQLrH0yys2EJtNQFVi+poWJhCbU0BP4vKCh4wgNgtQ/NSeJ2C9zAJCEh8uNUHNsZJYv+M2 WI2QgK7EgrZbYDNFBCQlvm2ayghxq7zEhw/H2ScwCsxCdscsJHfMApurLbFs4Wso20Diaecr VghbXmL72zlQcUuJxTNvsEDYthK3+hYwQdh2Eo+mLWJdwMixilE2JbdKNzcxM6c4NVm3ODkx Ly+1SNdCLzezRC81pXQTIygi2F1UdzBOOKR0iFGAg1GJh1difnWIEGtiWXFl7iFGSQ4mJVHe 0/OAQnxJ+SmVGYnFGfFFpTmpxYcYVYB2Pdqw+gKjFEtefl6qkgjvOQ+gOt6UxMqq1KJ8mDJp DhYlcd5NP/hChATSE0tSs1NTC1KLYLIyHBxKErz/zwI1ChalpqdWpGXmlCCkmTg4DzFKcPAA Dfc+BzK8uCAxtzgzHSJ/ilFRSpz3L0izAEgiozQPrheWyF4xigO9Jcx7EqSKB5gE4bpfAQ1m AhrM0FwJMrgkESEl1cB4+hLLyUVFcqKdEgZ8u1Mmt+WmenyQS89T216n8niDP+/eh/1HS3l2 iEzWL99fFOhrrr9rviG/Wvli++TKev2a+WwXFRYfb4g/59oz143F4eSKHdsWNy9dZ6syTaXM tvXBErOjMxRPPeKe/fFBbaeb/9I8JokgTv9oE9vp/202Hp59yvQiu6ESS3FGoqEWc1FxIgAu GLPTPwMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/p1svZsAHi_CYT37FqVk4-rB3I44
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] [internet-drafts@ietf.org] New Version Notification for draft-yu-oauth-token-translation-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 02:15:30 -0000

Tom,

I think this is interesting and important work as it could help more directly bridge the gap between Kerberos deployments (more common in enterprise/LAN environments) and the OAuth/web/mobile world. 

When you get down to it, there are really two things going on here: mapping Kerberos ticket claims to JWT claims (and vice versa), and the act of actually translating a ticket into an OAuth token. Perhaps these should be separated more cleanly? I can very easily picture a service that takes in Kerberos tickets and spits out unstructured tokens (or at least tokens without the same claims baked in). This could be specified as an extension of the OAuth Assertions framework, mirroring the JWT and SAML assertions, and could pretty easily be picked up as a WG document if people wanted it. 

In addition to that (but ultimately separate from it, whether it’s in the same document or not), a mechanism for expressing the set of information that’s inside of the Kerberos ticket using the JOSE family of specs still makes sense to have. Much of what’s in JWT’s claim set was influenced by SAML and (to a lesser extent) X.509, so it seems useful to have a similar Kerberos-to-JWT translation process, especially since Kerberos has a few fields that aren’t covered by the current JWT claim set and could be found useful by applications. Better to line up with an existing protocol in this case, in my opinion.

 — Justin

On Nov 30, 2014, at 9:01 PM, Tom Yu <tlyu@mit.edu> wrote:

> Added more technical details and examples.
> 
> <New Version Notification for draft-yu-oauth-token-translation-01_txt.eml>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth