IETF Logo Mail Archive

Re: [OAUTH-WG] oauth assertions plan

Brian Campbell <bcampbell@pingidentity.com> Mon, 18 February 2013 19:34 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7031421F8BBB for <oauth@ietfa.amsl.com>; Mon, 18 Feb 2013 11:34:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3tehCKWSWYr for <oauth@ietfa.amsl.com>; Mon, 18 Feb 2013 11:34:46 -0800 (PST)
Received: from na3sys009aog104.obsmtp.com (na3sys009aog104.obsmtp.com [74.125.149.73]) by ietfa.amsl.com (Postfix) with ESMTP id DE4D921F8B26 for <oauth@ietf.org>; Mon, 18 Feb 2013 11:34:45 -0800 (PST)
Received: from mail-we0-f199.google.com ([74.125.82.199]) (using TLSv1) by na3sys009aob104.postini.com ([74.125.148.12]) with SMTP ID DSNKUSKCVPYDtk8PVHddIwRW9P5+cPHY4DI/@postini.com; Mon, 18 Feb 2013 11:34:46 PST
Received: by mail-we0-f199.google.com with SMTP id t11so7107231wey.6 for <oauth@ietf.org>; Mon, 18 Feb 2013 11:34:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=A6Vc2krnQoSB0DKUG3m0bcDLGGf5oRVHHBX257IBIl0=; b=d3iwh9c7VQxYzqTTVa/8ex7AxjyzbAlEmqv8InZIywcq6Mgp/9wFG/NhHMPMPJ1oDo v7JtX19W4WcH5IWOGtVACKisB3a9rznZL59m0/W2ZCRP5pIPCkulLtNlUOcmob1rpPxq VxnlYpGXq1SQ0W0jdIZG2zfM63FuLwK13OXuDKIQJ8N2Do+UytKgAcvSuesZtCD7Wisb IZDDEilbRGLLZwUwxckwP/BUQPWtaCRAlm17TNSiAFiSF+VpdOcFE6OWc7nLV43B6nss Mi9sk+aoQWtIyFXNMTSPUNt5PhkIbrYH4KlU01bNU6YnXuye73IyyyAkvtCq5Qy48g6V vTbg==
X-Received: by 10.14.183.198 with SMTP id q46mr48416221eem.1.1361216083281; Mon, 18 Feb 2013 11:34:43 -0800 (PST)
X-Received: by 10.14.183.198 with SMTP id q46mr48416190eem.1.1361216083122; Mon, 18 Feb 2013 11:34:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.14.173.9 with HTTP; Mon, 18 Feb 2013 11:34:13 -0800 (PST)
In-Reply-To: <CALaySJKFkHtPiZ-u43vFShqgQ4__rC8E7hAXyjZ4jTaZ72tEag@mail.gmail.com>
References: <51212E78.1050206@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739436746DC1C@TK5EX14MBXC284.redmond.corp.microsoft.com> <51214AC5.3090807@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739436746DE40@TK5EX14MBXC284.redmond.corp.microsoft.com> <CALaySJ+YM9_DJ5KB1AnF+D-_1=jMhCdsxrgB3jQaaCLsB7w1Kg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436747042A@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAC4RtVAKUAQosF=tJQLB6FExUriY-WhBv+R_0uX6aP1gegR=QQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436747063A@TK5EX14MBXC284.redmond.corp.microsoft.com> <CALaySJKFkHtPiZ-u43vFShqgQ4__rC8E7hAXyjZ4jTaZ72tEag@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 18 Feb 2013 12:34:13 -0700
Message-ID: <CA+k3eCSUXE4fj3Xa8+0mtd_5NHmQsJ6ScSQxxk0-=k9UR1g+yA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary="047d7b34414218d91a04d604d1f5"
X-Gm-Message-State: ALoCoQlsWZXYLq38CxhYN2LytnfusmX6us5kP1p2+nGH3+lMORBwt4WD1vkPDaro1f1eWBsDv4gbOEoKC3f13jROLPbHrUshc0uVMZqePxYNsK9w6QVvi6nk4wrykKPnlHxvbAGYyvro
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] oauth assertions plan
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 19:34:47 -0000

I do believe some face to face discussion amongst a smallerish group might
be valuable on this. I'll be in Orlando and plan on contributing to that as
much as I can. Thanks for organizing the lunch discussion Stephen.

I do feel that this conversation has strayed a bit and I'd like to clear up
one important misconception. The three assertion documents do not define an
access token type at all. The questions and concerns around bearer tokens
and MAC tokens and other token types may well be very legitimate but are
completely orthogonal to the scope and intent of the assertion documents.
The assertions drafts define how to trade an assertion for a an access
token at the token endpoint via the extension grant type mechanism provided
by RFC 6749. The assertions drafts also define an alternative means of
client authentication but its scope is very limited and only applies to a
client authenticating to the AS's token endpoint. I believe the documents
are pretty clear on what they seek to accomplish (and what they do not) but
this is definitely not the first time this has come up and that likely
points to the need for some more clarification in docs themselves.

It seems to me that much of the recent discussion here is largely unrelated
to that actual intent and scope of the documents in question. It may well
be valuable discussion but, even if we can find some common ground on it,
these assertion drafts probably aren't the right place to address these
issues.


On Mon, Feb 18, 2013 at 12:09 PM, Barry Leiba <barryleiba@computer.org>wrote:

> "Dynamically declaring," in what sense?  Where are those mechanisms
>> documented?****
>>
>> ** **
>>
>> Many of them are documented in draft-ietf-oauth-dyn-reg.****
>>
>> ** **
>>
>> One profile (an outer doll J) that enables fully interoperable
>> implementations is documented in draft-hardjono-oauth-umacore.
>>
>> ...
>
>>  Another related profile that enables fully interoperable
>> implementations is documented in
>> http://openid.net/specs/openid-connect-messages-1_0.html.
>>
>>
> It's possible, then, that this isn't an issue of major changes needed in
> this document, but one of document ordering.  It's possible (I'm still not
> sure, but maybe) that if some of these other documents came out before or
> at the same time as this one, they would all fit together and all would be
> clear.
>
> So maybe that's one way through this.
>
> In the end, all I'm saying is that if I hear that everyone is using oauth
> to peel bananas, and I want put my banana-peeling application on the market
> by adding oauth to it, I need to be able to read a set of specs that say
> how to do that, and that's all.  And if I do that, my application will work
> when it's slotted into any oauth-based banana-peeling system.
>
> Barry
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email