Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Josh Mandel <jmandel@gmail.com> Tue, 20 August 2013 15:30 UTC
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8288B11E8261 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVkPBK1YP4-S for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:30:36 -0700 (PDT)
Received: from mail-pb0-x231.google.com (mail-pb0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 2101E11E8243 for <oauth@ietf.org>; Tue, 20 Aug 2013 08:30:32 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id xb4so557929pbc.22 for <oauth@ietf.org>; Tue, 20 Aug 2013 08:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=zX9nbq/pW3WnDmlDQlcXAIFK1JY5/y0nw5HgfQTPDvw=; b=HVYsyLlBR7VGRjUqwzUktY6ClJC2EruPlcp5zlLshNlG24+hlcWF/4n4SF8YCSlqz+ rdaJ6xKhx4dEFjoK8Ne16H79tohfg8GjQSanUAsg3d+qyzyuKUOzkTVd9wSJhuOnNUg/ 2Zlw+YVfMBe4LUBTdEOzvhKa/8keJ4eh9XSlTJKwG+4Xmd3QKVnfyLe7Y1LnhhkfVuxU ng9m3x/V6ZKLSWdSNfdPMCPp4E9Te8ljk2EGubfPhyTzcyjx45XfrhkkXEKH6+X691ks ZMN7BwiAvdyYXRtY+uBZaZrxxVmoomp15qDfhfXTLpOk1+DagEhGK1Z/ShHKyAxy+YJi yGWw==
X-Received: by 10.67.23.36 with SMTP id hx4mr4597527pad.54.1377012631077; Tue, 20 Aug 2013 08:30:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.211.4 with HTTP; Tue, 20 Aug 2013 08:30:16 -0700 (PDT)
In-Reply-To: <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 20 Aug 2013 08:30:16 -0700
Message-ID: <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="047d7b072450ba0d5b04e462bcad"
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 15:30:41 -0000
The group may be interested in bits of the following classification that we put together for BlueButton+: http://blue-button.github.io/blue-button-plus-pull/#client-types Here, we classified apps according to 1. whether they can protect a `client_secret` and 2. whether they can protect a `registration_jwt` (issued by a third party and presented by the client to the registration endpoint at registration time) We used this classification with the current dyn-reg draft, in order to give implementers a concrete idea about how policy might vary according to client type. Part of why this works nicely for BB+ is that we actually get to control (well, specify!) policy within the BB+ network. -Josh On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > By taxonomy i mean the distinct types of clients and associations. > > Eg > - javascript > - native app > - web app > - apps that associate to one endpoint vs those the register with multiple > based on events > - perm vs temporary associations > > There are probably more. > > As Torsten mentions one of the most important factors is first how the > server recognizes the client that is registering. It needs to do this to > set or associate policy. > > What does a service provider gain if it has no information about clients? > The downside of issuing random client_ids is little or no policy based > access control and resource depletion. > > So we have to ask ourselves in each case why register? What is achieved > for each side? Client id is a major factor but it is not THE factor. > > Phil > > On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" < > hannes.tschofenig@nsn.com> wrote: > > > Hi Phil, > > > > > >> I think we should start by reviewing use cases taxonomy. > > > > > > What do you mean by "use cases taxonomy"? What exactly would we discuss > under that item? > > > >> > >> Then a discussion on any client_id assumptions and actual requirements > >> for each client case. Why is registration needed for each case? > > > > I guess you are bringing the use case to the table where there is no > client id needed (?) or where the client id is provided by yet another > party (other than the one running the AS). > > > >> > >> The statement can solve some complication but should be put in context > >> of use cases. > > > > Ciao > > Hannes > > > >> Phil > >> > >> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> > >> wrote: > >> > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA512 > >>> > >>> - -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA512 > >>> > >>> Based on your feedback via the poll let us start with August 22nd > >> with the first conference call. I will distribute the conference call > >> details on Tuesday. > >>> > >>> Let us talk about the agenda. There were several items brought up in > >> discussions, namely > >>> > >>> * Software assertions / software statements > >>> > >>> We briefly discussed this topic at the IETF OAuth session but we may > >> need more time to understand the implications for the current dynamic > >> client registration document: > >>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx > >>> > >>> * SCIM vs. current dynamic client registration approach for > >> interacting with the client configuration endpoint > >>> > >>> In the past we said that it would be fine to have a profile defined > >> in SCIM to provide the dynamic client registration for those who > >> implement SCIM and want to manage clients also using SCIM. It might, > >> however, be useful to compare the two approaches in detail to see what > >> the differences are. > >>> > >>> * Interactions with the client registration endpoint > >>> > >>> Justin added some "life cycle" description to the document to > >> motivate some of the design decisions. Maybe we need to discuss those > >> in more detail and add further text. > >>> Additional text could come from the NIST Blue Button / Green Button > >> usage. > >>> > >>> * Aspects that allow servers to store less / no state > >>> > >>> - - From the discussions on the list it was not clear whether this is > >> actually accomplishable with the current version of OAuth. We could > >> explore this new requirement and try to get a better understanding how > >> much this relates to dynamic client registration and to what extend it > >> requires changes to the core spec. > >>> > >>> > >>> What would you like to start with? Other topics you would like to > >> bring up? > >>> - -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > >>> Comment: GPGTools - http://gpgtools.org > >>> > >>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze > >>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk > >>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF > >>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9 > >>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP > >>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI= > >>> =tkGT > >>> - -----END PGP SIGNATURE----- > >>> -----BEGIN PGP SIGNATURE----- > >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > >>> Comment: GPGTools - http://gpgtools.org > >>> > >>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb > >>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x > >>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181 > >>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q > >>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36 > >>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE= > >>> =3qNI > >>> -----END PGP SIGNATURE----- > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- [OAUTH-WG] Dynamic Client Registration Conference… Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Eve Maler
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Josh Mandel
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Josh Mandel
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Tschofenig, Hannes (NSN - FI/Espoo)