Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

John Bradley <ve7jtb@ve7jtb.com> Sat, 13 February 2016 15:07 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DDAC1A003B for <oauth@ietfa.amsl.com>; Sat, 13 Feb 2016 07:07:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVhIAkR8OGy5 for <oauth@ietfa.amsl.com>; Sat, 13 Feb 2016 07:07:17 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B15731A0033 for <oauth@ietf.org>; Sat, 13 Feb 2016 07:07:17 -0800 (PST)
Received: by mail-qg0-x232.google.com with SMTP id b35so82922948qge.0 for <oauth@ietf.org>; Sat, 13 Feb 2016 07:07:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=hS/4AMk9aYuYstoM2YlWJ1tMAW8nGYDw+l3K05fW8Ro=; b=ciZWfaEgqqaXRiMd0ns6Mq+wWJF4/9q/jlBdfE9ijgiV9EzZG/+XiCZRJu8fRe9FOn pvVBkl0UoGTzES8GnXDwSpW12+sZwYXVcWgHs9dD/wA9/inkLBZunt5cz6vYRh+eTYn+ 4gPv9DWcaaStHLQpSAwsiKlbbRf1UbOSSFVYEmbjtJK67/fvspFWb++bXFZUvgxgpKHa EOFCinaF8Wja85nQWnYynmcsY5Zh2saxUbNAH9qk5ZUwglXk21f4PjseeK7biZagLP4Y h1pxUyLIdTnIbzLhoHABRN8CmwsjmLbx6RzmxQl0dZn5qqOnKPnWM/6ltIGP1O38z5zO Z7Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=hS/4AMk9aYuYstoM2YlWJ1tMAW8nGYDw+l3K05fW8Ro=; b=OOJwTzbS/oprQUt+Zx56jokjZUIIBEri+r5It7Vorf8dCwO0tTg2tPQvR/Jq5IZUpK uZDYxqqQLNYIrxV0RLWIG5gvMGxfcXmhTi/OVvZ3ATNE850/rCfjmMrQ7A9WChKnUxkY MgiWGDN8s5FqDxaxcsbFectNsWa8xGinpqDcoO26tx0EXZ7SBWMR9c4CJouzQ5O3QQiL ntrJO2MjyakeK8kzF3sPPSxdmu+G/Qy8B1osK6kSGaDJqj54WOJwJrwF/M7crhC9ePkL mF3ylw7pV1RWfN1oKf3G9pV0Udnxtssy+moKz076NtCJ7BkKRYfG4HLoNYETK/woMSwA OwpA==
X-Gm-Message-State: AG10YOSXg+LJTmJQMwVBc/FX6t7lUE5pwtrT6PN7fMXp7gGW9EQu6p3BGKmaz9bic4SbeA==
X-Received: by 10.140.234.129 with SMTP id f123mr9202130qhc.67.1455376036751; Sat, 13 Feb 2016 07:07:16 -0800 (PST)
Received: from [192.168.1.68] ([191.115.40.128]) by smtp.gmail.com with ESMTPSA id w190sm7553200qhw.29.2016.02.13.07.07.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 13 Feb 2016 07:07:15 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_965720D8-DF7C-408B-A247-658F9FD464B6"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <xxhu5n8bd556sull7wp3hay5.1455374199790@com.syntomo.email>
Date: Sat, 13 Feb 2016 12:06:56 -0300
Message-Id: <CFCDFFB7-3B52-4397-9835-4ADA1C2C5C43@ve7jtb.com>
References: <DA38E650-6C09-4E9A-A241-E5117EB67FC7@ve7jtb.com> <xxhu5n8bd556sull7wp3hay5.1455374199790@com.syntomo.email>
To: torsten@lodderstedt.net
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ubmHfRqy4PEjG5wiB7OkbH_d2aU>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Feb 2016 15:07:22 -0000

I was trying to say that the issue about other specs using the JWT registry is not specific to OIDC.

Discovery is a separate issue.

If we don’t adopt this document it could go as AD sponsored , but I don’t think that really addresses your issue. 
The distinction between AD sponsored and WG document will be lost on any normal person.

Remember that the amr claim is already in the registry registered by the OIDF.
http://www.iana.org/assignments/jwt/jwt.xhtml <http://www.iana.org/assignments/jwt/jwt.xhtml>

This discussion is about if there should be a IANA registry for the claim values and where it should be. 

If we want to keep the values registries and the claims together then it should be in the WG. 

If not then it can be AD sponsored and a separate IANA registry.   
As I understand it doing it as a OIDF document would not allow for an IANA registry and the OIDF would need to run the registry due to IANA policy.

John B.

> On Feb 13, 2016, at 11:36 AM, torsten@lodderstedt.net wrote:
> 
> We clearly have this problem between oauth and oidc. Just take a look at the discovery thread.
> 
> According to you argument I see two options:
> (1) amr stays an oidc claim, is used in oidc only and the oauth wg just publishes the registry entries. In this case, the spec should clearly explain this.
> (2) amr is of any use in oauth (although it has been invented in oidc) - than define it and motivate it's use in oauth in this spec.
> 
> Right now, I think it creates the impression oauth is for authentication.
> 
> 
> 
> -------- Originalnachricht --------
> Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
> Von: John Bradley <ve7jtb@ve7jtb.com>
> An: torsten@lodderstedt.net
> Cc: roland.hedberg@umu.se,oauth@ietf.org
> 
> This is not a issue between oauth and OIDC.
> 
> This has to do with the registry for JWT being in OAuth.   Many protocols that use JWT are going to want to register claims.  
> We can’t ask them to all move the parts of there specs that use JWT to OAuth.
> 
> Perhaps JWT should have been part of JOSE, but that is water under the bridge.  
> 
> The OAuth WG is responsible for JWT and it’s registry, and we will need to deal with registering claims.  
> 
> I guess that we can tell people that they need to publish the specs defining the claims someplace else, and just do the registry part.
> However doing that will probably not improve interoperability and understanding.
> 
> This document defines the claim for JWT in general.  We still have almost no documentation in the WG about what a JWT access token would contain other than the POP work.
> 
> John B.
>> On Feb 13, 2016, at 9:18 AM, torsten@lodderstedt.net <mailto:torsten@lodderstedt.net> wrote:
>> 
>> I basically support adoption of this document. Asserting authentication methods in access tokens (in this case in JWTS format) is reasonable. We use it to pass information about the authentication performed prior issuing an access token to the _resource_ server.
>> 
>> What worries me is the back and forth between oauth and oidc. The amr claim is defined in oidc (which sits on top of oauth) but the oauth wg specifies the registry? Moreover, the current text does not give a rationale for using amr in context of oauth.
>> 
>> As a WG we need to find a clear delineation between both protocols, otherwise noone will really understand the difference and when to use what. We create confusion!
>> 
>> For this particular draft this means to either move amr to oauth or the registry to oidc.
>> 
>> best regards, 
>> Torsten.
>> 
>> 
>> 
>> -------- Ursprüngliche Nachricht --------
>> Von: Roland Hedberg <roland.hedberg@umu.se <mailto:roland.hedberg@umu.se>>
>> Gesendet: Friday, February 12, 2016 05:45 PM
>> An: oauth@ietf.org <mailto:oauth@ietf.org>
>> Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
>> 
>> +1
>> 
>> > 12 feb 2016 kl. 16:58 skrev John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
>> > 
>> > +1 to adopt this draft.
>> > 
>> >> On Feb 12, 2016, at 3:07 AM, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>> >> 
>> >> Draft -05 incorporates the feedback described below - deleting the request parameter, noting that this spec isn't an encouragement to use OAuth 2.0 for authentication without employing appropriate extensions, and no longer requiring a specification for IANA registration.  I believe that it’s now ready for working group adoption.
>> >> 
>> >>                                                           -- Mike
>> >> 
>> >> -----Original Message-----
>> >> From: OAuth [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofenig
>> >> Sent: Thursday, February 4, 2016 11:23 AM
>> >> To: oauth@ietf.org <mailto:oauth@ietf.org>
>> >> Subject: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
>> >> 
>> >> Hi all,
>> >> 
>> >> On January 19th I posted a call for adoption of the Authentication Method Reference Values specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15402.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15402.html>
>> >> 
>> >> What surprised us is that this work is conceptually very simple: we define new claims and create a registry with new values. Not a big deal but that's not what the feedback from the Yokohama IETF meeting and the subsequent call for adoption on the list shows. The feedback lead to mixed feelings and it is a bit difficult for Derek and myself to judge consensus.
>> >> 
>> >> Let me tell you what we see from the comments on the list.
>> >> 
>> >> In his review at
>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15423.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15423.html> James Manger asks for significant changes. Among other things, he wants to remove one of the claims. He provides a detailed review and actionable items.
>> >> 
>> >> William Denniss believes the document is ready for adoption but agrees with some of the comments from James. Here is his review:
>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15426.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15426.html>
>> >> 
>> >> Justin is certainly the reviewer with the strongest opinion. Here is one of his posts:
>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15457.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15457.html>
>> >> 
>> >> Among all concerns Justin expressed the following one is actually actionable IMHO: Justin is worried that reporting how a person authenticated to an authorization endpoint and encouraging people to use OAuth for authentication is a fine line. He believes that this document leads readers to believe the latter.
>> >> 
>> >> John agrees with Justin in
>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15448.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15448.html> that we need to make sure that people are not mislead about the intention of the document. John also provides additional comments in this post to the
>> >> list: http://www.ietf.org/mail-archive/web/oauth/current/msg15441.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15441.html>
>> >> Most of them require more than just editing work. For example, methods listed are really not useful,
>> >> 
>> >> Phil agrees with the document adoption but has some remarks about the registry although he does not propose specific text. His review is here:
>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15462.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15462.html>
>> >> 
>> >> With my co-chair hat on: I just wanted to clarify that registering claims (and values within those claims) is within the scope of the OAuth working group. We standardized the JWT in this group and we are also chartered to standardize claims, as we are currently doing with various drafts. Not standardizing JWT in the IETF would have lead to reduced interoperability and less security. I have no doubts that was a wrong decision.
>> >> 
>> >> In its current form, there is not enough support to have this document as a WG item.
>> >> 
>> >> We believe that the document authors should address some of the easier comments and submit a new version. This would allow us to reach out to those who had expressed concerns about the scope of the document to re-evaluate their decision. A new draft version should at least address the following issues:
>> >> 
>> >> * Clarify that this document is not an encouragement for using OAuth as an authentication protocol. I believe that this would address some of the concerns raised by Justin and John.
>> >> 
>> >> * Change the registry policy, which would address one of the comments from James, William, and Phil.
>> >> 
>> >> Various other items require discussion since they are more difficult to address. For example, John noted that he does not like the use of request parameters. Unfortunately, no alternative is offered. I urge John to provide an alternative proposal, if there is one. Also, the remark that the values are meaningless could be countered with an alternative proposal. James wanted to remove the "amr_values" parameter.
>> >> Is this what others want as well?
>> >> 
>> >> After these items have been addressed we believe that more folks in the group will support the document.
>> >> 
>> >> Ciao
>> >> Hannes & Derek
>> >> 
>> >> 
>> >> 
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> > 
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> — Roland
>> 
>> ”Everybody should be quiet near a little stream and listen."
>> From ’Open House for Butterflies’ by Ruth Krauss
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>