IETF Logo Mail Archive

Re: [OAUTH-WG] Signatures, Why?

Eve Maler <eve@xmlgrrl.com> Tue, 16 March 2010 20:36 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 997553A69E1 for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 13:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.403
X-Spam-Level: *
X-Spam-Status: No, score=1.403 tagged_above=-999 required=5 tests=[AWL=0.837, BAYES_20=-0.74, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOW9D1jtqEEl for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 13:36:42 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 7117D3A6990 for <oauth@ietf.org>; Tue, 16 Mar 2010 13:36:42 -0700 (PDT)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id o2GKZh75021444 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 16 Mar 2010 13:35:43 -0700
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <daf5b9571003161051s42e6245dp819260f894a17e8d@mail.gmail.com>
Date: Tue, 16 Mar 2010 13:35:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <975F022E-AFDC-4F12-9CF9-C0D5D2C51803@xmlgrrl.com>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im> <4B99D783.1090905@lodderstedt.net> <4B9EB99F.1050609@lodderstedt.net> <daf5b9571003161051s42e6245dp819260f894a17e8d@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 20:36:43 -0000

Hi Brian,

On 16 Mar 2010, at 10:51 AM, Brian Eaton wrote:
> We didn't talk about the signed identity claims use case.  Some
> background on that is in this thread:
> 
> http://www.ietf.org/mail-archive/web/oauth/current/msg00530.html
> 
> Paul - does OpenSocial still need signed identity claims?
> 
> Eve - does UMA still need signed identity claims, or are you handling
> that outside of the OAuth spec?

UMA's core protocol is agnostic as to the format of the claims, though negotiating a desired claim format does have a few core-protocol implications.  We anticipate that a couple of different formats are likely (strong interest has been expressed in SAML and JSON so far).

We do have use cases for third-party-asserted claims as well as self-asserted claims, and we anticipate that the former would be most easily solved (maybe "easily" should be in scare quotes) with signatures.  The use cases requiring this do tend to be for higher-security, higher-sensitivity applications (health, financial/insurance, etc.).

Note that by "claims", I'm referring here to the access authorization claims that an authorization manager would ask a requester to produce in order to prove suitability for getting access.  (The authorizing user might be delegating access to some protected web resource that contains identity claims about themselves; this is well outside the UMA core protocol.)

	Eve

Eve Maler
eve@xmlgrrl.com
http://www.xmlgrrl.com/blog

v2.23.0 | Report a Bug | By Email