Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id B3E661A00F7
 for <oauth@ietfa.amsl.com>; Sun, 30 Nov 2014 18:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001,
 T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mI9DHLT_8VN0 for <oauth@ietfa.amsl.com>;
 Sun, 30 Nov 2014 18:15:28 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu
 [18.7.68.37])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 65A691A00AE
 for <oauth@ietf.org>; Sun, 30 Nov 2014 18:15:28 -0800 (PST)
X-AuditID: 12074425-f798e6d000000d1a-fa-547bcf3f5ab1
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43])
 (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id
 CB.8F.03354.F3FCB745; Sun, 30 Nov 2014 21:15:27 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
 by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sB12FQAI007410;
 Sun, 30 Nov 2014 21:15:26 -0500
Received: from artemisia.richer.local
 (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53])
 (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU)
 by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sB12FMH8021138
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
 Sun, 30 Nov 2014 21:15:25 -0500
Content-Type: multipart/signed;
 boundary="Apple-Mail=_91E446E5-80FE-4509-9021-964CF3CB83FE";
 protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <ldvsih0yvpu.fsf@sarnath.mit.edu>
Date: Sun, 30 Nov 2014 21:15:21 -0500
Message-Id: <1E83C7F4-BD75-4038-8FD3-E374A02713AF@mit.edu>
References: <ldvsih0yvpu.fsf@sarnath.mit.edu>
To: Tom Yu <tlyu@mit.edu>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRmVeSWpSXmKPExsUixCmqrWt/vjrEYPZUfouTb1+xOTB6LFny
 kymAMYrLJiU1J7MstUjfLoEr49fB2SwF90QrbjZlNTAeEupi5OSQEDCRePJrOzOELSZx4d56
 ti5GLg4hgcVMEtOuboByNjJKnNu/hgXCuckk8af7GCOIwywwiVHiwrMHLCD9vAIGEkt2bQKb
 JSxQLrH0yys2EJtNQFVi+poWJhCbU0BP4vKCh4wgNgtQ/NSeJ2C9zAJCEh8uNUHNsZJYv+M2
 WI2QgK7EgrZbYDNFBCQlvm2ayghxq7zEhw/H2ScwCsxCdscsJHfMApurLbFs4Wso20Diaecr
 VghbXmL72zlQcUuJxTNvsEDYthK3+hYwQdh2Eo+mLWJdwMixilE2JbdKNzcxM6c4NVm3ODkx
 Ly+1SNdCLzezRC81pXQTIygi2F1UdzBOOKR0iFGAg1GJh1difnWIEGtiWXFl7iFGSQ4mJVHe
 0/OAQnxJ+SmVGYnFGfFFpTmpxYcYVYB2Pdqw+gKjFEtefl6qkgjvOQ+gOt6UxMqq1KJ8mDJp
 DhYlcd5NP/hChATSE0tSs1NTC1KLYLIyHBxKErz/zwI1ChalpqdWpGXmlCCkmTg4DzFKcPAA
 Dfc+BzK8uCAxtzgzHSJ/ilFRSpz3L0izAEgiozQPrheWyF4xigO9Jcx7EqSKB5gE4bpfAQ1m
 AhrM0FwJMrgkESEl1cB4+hLLyUVFcqKdEgZ8u1Mmt+WmenyQS89T216n8niDP+/eh/1HS3l2
 iEzWL99fFOhrrr9rviG/Wvli++TKev2a+WwXFRYfb4g/59oz143F4eSKHdsWNy9dZ6syTaXM
 tvXBErOjMxRPPeKe/fFBbaeb/9I8JokgTv9oE9vp/202Hp59yvQiu6ESS3FGoqEWc1FxIgAu
 GLPTPwMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/p1svZsAHi_CYT37FqVk4-rB3I44
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] [internet-drafts@ietf.org] New Version Notification
 for draft-yu-oauth-token-translation-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 02:15:30 -0000


--Apple-Mail=_91E446E5-80FE-4509-9021-964CF3CB83FE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Tom,

I think this is interesting and important work as it could help more =
directly bridge the gap between Kerberos deployments (more common in =
enterprise/LAN environments) and the OAuth/web/mobile world.=20

When you get down to it, there are really two things going on here: =
mapping Kerberos ticket claims to JWT claims (and vice versa), and the =
act of actually translating a ticket into an OAuth token. Perhaps these =
should be separated more cleanly? I can very easily picture a service =
that takes in Kerberos tickets and spits out unstructured tokens (or at =
least tokens without the same claims baked in). This could be specified =
as an extension of the OAuth Assertions framework, mirroring the JWT and =
SAML assertions, and could pretty easily be picked up as a WG document =
if people wanted it.=20

In addition to that (but ultimately separate from it, whether it=92s in =
the same document or not), a mechanism for expressing the set of =
information that=92s inside of the Kerberos ticket using the JOSE family =
of specs still makes sense to have. Much of what=92s in JWT=92s claim =
set was influenced by SAML and (to a lesser extent) X.509, so it seems =
useful to have a similar Kerberos-to-JWT translation process, especially =
since Kerberos has a few fields that aren=92t covered by the current JWT =
claim set and could be found useful by applications. Better to line up =
with an existing protocol in this case, in my opinion.

 =97 Justin

On Nov 30, 2014, at 9:01 PM, Tom Yu <tlyu@mit.edu> wrote:

> Added more technical details and examples.
>=20
> <New Version Notification for =
draft-yu-oauth-token-translation-01_txt.eml>______________________________=
_________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_91E446E5-80FE-4509-9021-964CF3CB83FE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJUe885AAoJEDPAngkbd+w9BwkIAKaigQfQf7Rcm5XF3+6ZsgEE
kLXzQ/lyDEkGVaaJdOoo0DtHEmpjdEDPkjBDj/wDMBp7o3eCT953VXkcEnQ9nf+8
soxsbdV196h3rfLkc65exbFOSvIaSBmujl+7cXNnczyVLKfW1tU5VZKYFo7AKUNL
jQ+OwKLcR9z8mFffCAjOq/mAeToVv9OaOvIrZXSkxNEk4BjTeqhxiX6D6TZ+F9QJ
jn7hhk5/3tJXjYzlKQnEeja6UqV3CCAaW0g/LMO1Q+Nv+tchHy6bPwMVDZWtzcLW
4XSmkz7ZRxXXOAvRewzCD38O5uJze5qHVRF4bSjRHAjDjYE0BoFYM2mdczKiagw=
=bh0C
-----END PGP SIGNATURE-----

--Apple-Mail=_91E446E5-80FE-4509-9021-964CF3CB83FE--