[OAUTH-WG] Assertion Draft: Text about Interoperability -- Today

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Fri, 18 January 2013 12:04 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5578E21F88B2 for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 04:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EN9YkJ7DmB1V for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 04:04:39 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net []) by ietfa.amsl.com (Postfix) with ESMTP id 13AF721F84D8 for <oauth@ietf.org>; Fri, 18 Jan 2013 04:04:38 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([]) by demumfd002.nsn-inter.net ( with ESMTP id r0IC4Tld000881 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 18 Jan 2013 13:04:29 +0100
Received: from demuexc022.nsn-intra.net (demuexc022.nsn-intra.net []) by demuprx017.emea.nsn-intra.net ( with ESMTP id r0IC4TSl030253 for <oauth@ietf.org>; Fri, 18 Jan 2013 13:04:29 +0100
Received: from FIESEXC035.nsn-intra.net ([]) by demuexc022.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Fri, 18 Jan 2013 13:04:28 +0100
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 18 Jan 2013 14:04:28 +0200
Message-ID: <999913AB42CC9341B05A99BBF358718D02513229@FIESEXC035.nsn-intra.net>
Thread-Topic: Assertion Draft: Text about Interoperability -- Today
Thread-Index: Ac31c/ey/0oPxcEZTU2GjVm1VBYpaA==
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth@ietf.org
X-OriginalArrivalTime: 18 Jan 2013 12:04:28.0923 (UTC) FILETIME=[F7B104B0:01CDF573]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 2894
X-purgate-ID: 151667::1358510669-00003C02-1667706C/0-0/0-0
X-Mailman-Approved-At: Fri, 18 Jan 2013 04:06:16 -0800
Subject: [OAUTH-WG] Assertion Draft: Text about Interoperability -- Today
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2013 12:04:40 -0000

Hi all, 

As you have seen on the list (see
http://www.ietf.org/mail-archive/web/oauth/current/msg10526.html) I had
a chat with Mike about how to address my comment for the assertion draft
and Mike kindly provided his text proposal (see
http://www.ietf.org/mail-archive/web/oauth/current/msg10529.html). I
have used his text as input and extended it a bit. Here is the updated


Operational Considerations and Interoperability Expectations

This specification defines a framework for using assertions with OAuth
2.0. However, as an abstract framework on its own, this specification is
not sufficient to produce interoperable implementations. Two other
specifications that instantiate this framework have been developed, one
uses SAML 2.0-based assertions and is described in
[I-D.ietf-oauth-saml2-bearer] and the second builds on JSON Web Tokens
(JWTs) and can be found in [I-D.ietf-oauth-jwt-bearer]. These two
instantiations provide additional details about the assertion encoding
and processing rules for those interested to implement and deploy
assertions with OAuth 2.0. 

However, even with these instance documents an interoperable
implementation is not possible since for a specific deployment
environment (within a trust framework or circle of trust, as it is
sometimes called) agreements about acceptable values for various fields
in the specification have to be agreed upon. For example, the audience
field needs to be populated by the entity that generates the assertion
with a specific value and that value may hold identifiers of different
types (for example, a URL, an IP address, an FQDN) and the entity
receiving and verifying the assertion must compare the value in the
audience field with other information it may obtain from the request
and/or with locally available information. Since the abstract framework
nor the instance documents provide sufficient information about the
syntax, the semantic and the comparison operation of the audience field
additional profiling in further specifications is needed for an
interoperable implementation. This additional profiling is not only
needed for the audience field but also for other fields as well. 

This framework was designed with the expectation that additional
specifications will fill this gap for deployment-specific environments.


You have the choice:

1. take this as-is if you want the assertion draft
(draft-ietf-oauth-assertions ) on the Jan 24 IESG telechat. There is no
normative text in the writeup; it is rather a clarification.

2. discuss it if need be, and draft-ietf-oauth-assertions will be on the
Feb 7
   telechat (if the discussion is done by Feb 1)

1 or 2 needs to be chosen today.


PS: FYI - draft-ietf-oauth-saml2-bearer and draft-ietf-oauth-jwt-bearer
are not yet on the telechat agenda.