IETF Logo Mail Archive

Re: [OAUTH-WG] Summary - "Assertion Framework - Why does issuer have to be either the client or a third party token service?"

zhou.sujing@zte.com.cn Thu, 20 December 2012 00:33 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C9E21F881E; Wed, 19 Dec 2012 16:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.193
X-Spam-Level:
X-Spam-Status: No, score=-98.193 tagged_above=-999 required=5 tests=[AWL=0.202, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWCZXVbbYbFZ; Wed, 19 Dec 2012 16:33:27 -0800 (PST)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 1384721F8202; Wed, 19 Dec 2012 16:33:27 -0800 (PST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id C5E7C125D1A0; Thu, 20 Dec 2012 08:35:24 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id qBK0X75T094905; Thu, 20 Dec 2012 08:33:07 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <CA+k3eCQTx0k8hfeqetvvZF2N=4WOrP6JNi8gHY6Vo3toFwsnJw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF6D90054C.4C6344C5-ON48257AF9.00023E29-48257AF9.00032771@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Thu, 20 Dec 2012 08:32:56 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2012-12-20 08:33:00, Serialize complete at 2012-12-20 08:33:00
Content-Type: multipart/alternative; boundary="=_alternative 0003276F48257AF9_="
X-MAIL: mse02.zte.com.cn qBK0X75T094905
Cc: "oauth@ietf.org WG" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Summary - "Assertion Framework - Why does issuer have to be either the client or a third party token service?"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 00:33:28 -0000

Brian Campbell <bcampbell@pingidentity.com> 写于 2012-12-20 04:26:03:

> They are just some examples and shouldn't limit who or what can be the 
issuer.
> 
> Maybe just removing that whole sentence that says, "The issuer may be
> either an OAuth client (when assertions are self-issued) or a third
> party token service.' would be better, if it's causing confusion?
It is causing confusion when entities in the oauth architecture are 
issuers. 
If the whole sentence is removed, similar sentences still exist in the 
following paragraphs,
confusion still exists.

How about a modification for section 3 

 "The token service is the assertion issuer; its  role is to fulfill 
requests from clients, which present various 
 credentials, and mint assertions as requested, fill them with appropriate 
information, and sign them."  (in  section 3 )
into 
 "The token service is the assertion issuer, it could be implemented in 
any entity besides client, including Resource Owner, Authorization Server; 
its  role is to fulfill requests from clients, which present various 
credentials, and mint assertions as requested, fill them with  appropriate 
information, and sign them." 

And no more normative texts need to be changed. 

> 
> On Mon, Dec 17, 2012 at 5:29 PM,  <zhou.sujing@zte.com.cn> wrote:
> >
> >
> > oauth-bounces@ietf.org 写于 2012-12-17 23:21:36:
> >
> >
> >> Hi all,
> >>
> >> I read through the mailing list discussion raised by Nat in this
> >> mail to the list on the 3rd of December, see http://www.ietf.
> >> org/mail-archive/web/oauth/current/msg10203.html
> >>
> >> There were two types of issues:
> >>
> >> 1) The current text about the issuer (in Section 5.1 of <draft-ietf-
> >> oauth-assertions-08.txt> says that the assertion can either be
> >> created by the client (in which case it is self-signed) or it can be
> >> created by some other entity.
> >>
> >> There was, however, the perception that the current text, in the way
> >> it is worded, creates the impression that third party token services
> >> excludes entities like the resource owner.
> >>
> >> 2) Some folks had the idea that the resource owner could create the
> >> assertion and they had a specific use case in mind. While this is
> >> not a currently deployed scenario (using OAuth technology) there
> >> seem to be some other deployment (the Austrian eID card deployment
> >> was mentioned by Nat) that could be re-build with this support in 
mind.
> >>
> >> It seemed that just mentioning that the resource owner could create
> >> the assertion wouldn't be enough to understand the scenario. A more
> >> detailed writeup of the envisioned scenario would be needed but has
> >> not been provided to the mailing list.
> >>
> >> To me it seems that the best approach would be to do the following:
> >>
> >> a) to update the text in Section 5.1 as suggested by Nat in his mail
> >> http://www.ietf.org/mail-archive/web/oauth/current/msg10222.html
> >
> > Nat's suggestion "Example of issuers include an OAuth client, resource
> > owner, an independent third party."
> > there is still an issue,  "indenpendent" from who?  If  AS be an 
assertion
> > issuer, could AS be called indenpendent?
> >
> >
> >> This by itself would not lead to any normative text change but may
> >> make it clear what the intention was.
> >>
> >> b) to encourage those who care about the use case where the resource
> >> owner creates the assertion to compile a document and to submit it
> >> to the group. This would allow us to evaluate whether all the
> >> required functionality is indeed available.
> >>
> >> Ciao
> >> Hannes
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >

v2.35.0 | Report a Bug | By Email | System Status