[OAUTH-WG] " Help" unsubscribe

mark@rocksolidimports.com Thu, 18 February 2016 19:53 UTC

Return-Path: <mark@rocksolidimports.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1575E1B33BB for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQVNQacu_b8b for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:53:38 -0800 (PST)
Received: from p3plwbeout02-01.prod.phx3.secureserver.net (p3plsmtp02-01-2.prod.phx3.secureserver.net [72.167.218.94]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD0B81B349A for <oauth@ietf.org>; Thu, 18 Feb 2016 11:53:24 -0800 (PST)
Received: from localhost ([72.167.218.17]) by p3plwbeout02-01.prod.phx3.secureserver.net with bizsmtp id KvtQ1s0010P6mCQ01vtQov; Thu, 18 Feb 2016 12:53:24 -0700
X-SID: KvtQ1s0010P6mCQ01
Received: (qmail 31612 invoked by uid 99); 18 Feb 2016 19:53:24 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_38048772a95672ad6c58c06d5afa1132"
To: oauth@ietf.org
From: mark@rocksolidimports.com
In-Reply-To: <mailman.1124.1455824600.3232.oauth@ietf.org>
Date: Thu, 18 Feb 2016 12:53:23 -0700
Message-Id: <20160218125323.775e101fb789049a384b75407b90d462.08c711b435.mailapi@email02.secureserver.net>
X-Originating-IP: 73.247.22.253
User-Agent: MailAPI
X-Sender: mark@rocksolidimports.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/z0YTKeRSi0x7Uj9h7S3NKskEfhQ>
Subject: [OAUTH-WG] " Help" unsubscribe
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 19:53:47 -0000

Please remove/unsubscribe this email address.
 
Thanks
 
 
Mark Warwick 
Rock Solid Imports
1700 Quincy Ave Suite #102
Naperville, IL 60540
630-532-2622
www.rocksolidimports.com
 
 
 
 
 
--------- Original Message --------- Subject: OAuth Digest, Vol 88, Issue 81
From: oauth-request@ietf.org
Date: 2/18/16 1:43 pm
To: oauth@ietf.org

Send OAuth mailing list submissions to
oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
oauth-request@ietf.org

You can reach the person managing the list at
oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."


Today's Topics:

1. Re: 2nd Call for Adoption: Authentication Method Reference
Values (William Denniss)
2. Re: OAuth Discovery spec pared down to its essence
(William Denniss)


----------------------------------------------------------------------

Message: 1
Date: Thu, 18 Feb 2016 11:39:52 -0800
From: William Denniss <wdenniss@google.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] 2nd Call for Adoption: Authentication Method
Reference Values
Message-ID:
<CAAP42hCR0TP0+qEvXhix0S+b1C0s1Sp7E6N2nhFh7vHaGrQp_g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

+1 to adopt.

My previous concerns of this draft have been addressed, and I am supportive
of having an IANA registry of amr values.

On Thu, Feb 18, 2016 at 5:09 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> In response to my message to the list regarding the initial call for
> adoption of the Authentication Method Reference Values draft, see
> https://www.ietf.org/mail-archive/web/oauth/current/msg15694.html, Mike
> submitted an updated version of the document to take raised concerns
> into account. Several working group participants responded positively to
> the new version.
>
> We would therefore like to issue a 2nd call for adoption of the recently
> submitted version -05:
> https://tools.ietf.org/html/draft-jones-oauth-amr-values-05
>
> Please let us know by March 3rd whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20160218/6d7b6e3b/attachment.html>

------------------------------

Message: 2
Date: Thu, 18 Feb 2016 11:42:56 -0800
From: William Denniss <wdenniss@google.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
Message-ID:
<CAAP42hD7Hy78ADm+i70XV=hCkWsXw_YvhRtwcE+CiNTpC_Zy8A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

On Thu, Feb 18, 2016 at 11:36 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks, William. I?m good with referencing the registry in Section 2.
>

Great!


> I?ll think about the registered/public/private comment.
>
>
I'm not suggesting we necessarily have to use the same
registered/public/private structure, only that some discussion of
standardized vs non-standard could be helpful for implementers (e.g. try to
pick something that is collision resistant for proprietary metadata).


> It?s fine to reference oauth-mix-up-mitigation as a draft in a finished
> RFC as long as it?s an informative and not a normative reference.
>

Ah ok, I wasn't aware of that.



> *From:* William Denniss [mailto:wdenniss@google.com]
>
> *Sent:* Thursday, February 18, 2016 11:28 AM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* John Bradley <ve7jtb@ve7jtb.com>; Anthony Nadalin <
> tonynad@microsoft.com>; oauth@ietf.org
>
> *Subject:* Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
>
>
>
> Two review comments:
>
>
>
> 1.
>
> Can the text in "Section 2. Authorization Server Metadata" near the end
> regarding additional metadata be expanded? I think we should reference the
> IANA registry established by this spec in that section (as this will be the
> reference point for people looking for other registered metadata), and
> possibly mention something about registered vs unregistered parameters and
> interoperability. At present if you only read that section it is a little
> vague.
>
>
>
> I like the treatment of claims in the JWT spec https://tools.ietf.org/html/rfc7519#section-4.2, splitting into 3 groups: registered, public and private. Not saying we should mirror it exactly, but as an implementer I liked how clearly it was stated in that spec.
>
>
>
> 2.
>
> Since this doc is in WG Last call, do we need to remove the reference to
> the mix-up I-D (Section 2, "issuer"), or are we expecting them to be
> finalized together?
>
>
>
>
>
> On Thu, Feb 18, 2016 at 10:42 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> I'm fine with changing dynamic registration from being RECOMMENDED to
> OPTIONAL. That's good actionable feedback. Likewise, looking at again, we
> also need to change jwks_uri from REQUIRED to OPTIONAL, since not all OAuth
> deployments need keys.
>
> I expect more good, actionable feedback to also come from the WGLC as
> people carefully read the draft with fresh eyes.
>
> -- Mike
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
> Sent: Thursday, February 18, 2016 10:33 AM
> To: Anthony Nadalin <tonynad@microsoft.com>
>
> Cc: Mike Jones <Michael.Jones@microsoft.com>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>;
> oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
>
> We are establishing a registry. Some folks do use dynamic client
> registration.
>
> We can register it in this document or take it out and let others register
> it once the registry is established.
>
> It will be registered one way or the other.
>
> One of the reasons for starting last call is to get people to read the
> draft and comment.
> That seems to be working.
>
> If you have specific security considerations, please let us know so they
> can be addressed. Text is always appreciated.
>
> John B.
>
> > On Feb 18, 2016, at 1:27 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
> >
> > Not sure about that. There are things that are "recommended" like the
> dynamic registration endpoint, I don't understand why this is recommended
> as a lot of folks still don't do this. There are security considerations
> about all the information that is in the discovery that have not been
> addressed.
> >
> > -----Original Message-----
> > From: Mike Jones
> > Sent: Thursday, February 18, 2016 10:18 AM
> > To: Anthony Nadalin <tonynad@microsoft.com>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>; John
> Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > It's the OAuth-specific subset of what's already widely deployed.
> Nothing was invented - just subsetted.
> >
> > I think it's already as simple as possible unless the working group
> decides to remove even more functionality (which it can obviously do).
> >
> > -- Mike
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin
> > Sent: Thursday, February 18, 2016 10:13 AM
> > To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Phil Hunt <
> phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > I also think we are way far from last call (and surprised to see last
> call issued) on this document as it is still very complex for something
> that should be very simple
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes
> Tschofenig
> > Sent: Thursday, February 18, 2016 6:47 AM
> > To: Phil Hunt <phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> >
> >
> > On 02/18/2016 03:06 PM, Phil Hunt wrote:
> >> BTW. I think we are FAR from Last Call on this topic.
> >
> > Thanks for your feedback, Phil. As you have seen I had issued a WGLC
> prior to your message based on the claim from the authors that they believe
> the document is finished.
> >
> > We will, of course, take all reviews into account and see where we are
> with the discovery spec. I, as the shepherd, will also do my review and I
> encourage many working group members to also take a look at the document
> and to provide their input.
> >
> > Ciao
> > Hannes
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20160218/ff25f9cb/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------------------------------

End of OAuth Digest, Vol 88, Issue 81
*************************************