Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

William Denniss <wdenniss@google.com> Thu, 18 February 2016 19:28 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFAE1B2F3F for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICkA8YIHNWSw for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 11:28:20 -0800 (PST)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F07E91B3170 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:28:16 -0800 (PST)
Received: by mail-ob0-x229.google.com with SMTP id kf7so1558931obb.1 for <oauth@ietf.org>; Thu, 18 Feb 2016 11:28:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ZHbmFhMD0pXWm9jnk/qsXlTNL8rLZu+e7SSp/r4/KvY=; b=bt02dzO5AH2Vb5N7Sig0XJp4qG5TyHrbbVMpp7g9/5rBcMLLxGqpmWwWnDuF0o0GHC uV9nTcu+WR6xoSHPCT4ry2U6jAUQE6jSjtKi6cL7il8e+ym8DF9mf4zk1XcqEHKWKHn2 fNcVLGs6meGzdo/h1bXaEacNWZ3hk5PshWVjD8ThL9BoHP47COOAkemB2OC68q2dsEZb jCjujj6ds6xKQ0eBeHePfaZDovUCToBR7cJnFUvNxbiF/+h+/2Za/d3j+HmMyNduk2qj FihQQNjqZW9m2CsVbfhnE+ec2vyfqcGGNidcpmiIgPNTGeqhkODctxGZXX9hsEqt4uyv C0lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ZHbmFhMD0pXWm9jnk/qsXlTNL8rLZu+e7SSp/r4/KvY=; b=VbaH8Oav2Ix3DDPdXBIieiJ4aHH4sCQHghkWrbm8xMzLcLTnoiMTcDWO7TMN/JmsVI elP0kopbbW1Q7ZiL/0bWiu3oYVaqgVWhyzL3yDVDZsXwcsYhZER0pNzDuflrrvjWkJ07 IkENx7oEd1EJIy2NkbGUNcqaKqUDpDrMNF+wR30e9cn9l2sc4X+A8ov7Bjr2E+dsqy1u /lhflpkbBP1jF61oiRkBmpD/doEtaewg2jbSJXC50n8Eboj6v9ZOyfr1AUnNQblBc8wZ /G2Qw/FEUZgDKDAi1Z7f4w5gHOrznMX8MuTtWHBfF8faMVBsJE4zpjBT5eFABWM9pp2f G2Ww==
X-Gm-Message-State: AG10YOS2t7DSKV5RWtQzmWkF8CZOw62NChhoXCOmDHtOTNIWJC7yC5e1YJ1a4/VU1T/rFywytlkTs28SUg+77DZq
X-Received: by 10.182.241.2 with SMTP id we2mr429678obc.20.1455823696274; Thu, 18 Feb 2016 11:28:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Thu, 18 Feb 2016 11:27:56 -0800 (PST)
In-Reply-To: <BY2PR03MB44242429A89971F70FE71FBF5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB44236EF33376F8C2BB135E8F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <533A97B6-F83D-4DBD-A015-81CD438EAE5F@oracle.com> <6E34B5BC-3E23-4E0F-8008-93797B15EB84@ve7jtb.com> <A52BE40A-DEF2-48D6-9612-5BD035104DDB@oracle.com> <56C5D96D.7000805@gmx.net> <BN3PR0301MB123401DCA44A6D651E859EB1A6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <BY2PR03MB4421A86FA48276934F5F067F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <BN3PR0301MB1234A0179AA5FBB6F9D4C3EFA6AF0@BN3PR0301MB1234.namprd03.prod.outlook.com> <111B18CA-B61D-46C5-99D0-2BCF4673B0D5@ve7jtb.com> <BY2PR03MB44242429A89971F70FE71FBF5AF0@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 18 Feb 2016 11:27:56 -0800
Message-ID: <CAAP42hBihsz74R6s2wnKJdc=+SvqC8FFzRRd=fg8jEUSwJ2Dtg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c2ec2046106b052c105eef"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zNxynPsjLgDKvRxObxnDmFO05WU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 19:28:23 -0000

Two review comments:

1.
Can the text in "Section 2.  Authorization Server Metadata" near the end
regarding additional metadata be expanded? I think we should reference the
IANA registry established by this spec in that section (as this will be the
reference point for people looking for other registered metadata), and
possibly mention something about registered vs unregistered parameters and
interoperability. At present if you only read that section it is a little
vague.

I like the treatment of claims in the JWT spec
https://tools.ietf.org/html/rfc7519#section-4.2, splitting into 3
groups: registered, public and private. Not saying we should mirror it
exactly, but as an implementer I liked how clearly it was stated in
that spec.

2.
Since this doc is in WG Last call, do we need to remove the reference to
the mix-up I-D (Section 2, "issuer"), or are we expecting them to be
finalized together?


On Thu, Feb 18, 2016 at 10:42 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> I'm fine with changing dynamic registration from being RECOMMENDED to
> OPTIONAL.  That's good actionable feedback.  Likewise, looking at again, we
> also need to change jwks_uri from REQUIRED to OPTIONAL, since not all OAuth
> deployments need keys.
>
> I expect more good, actionable feedback to also come from the WGLC as
> people carefully read the draft with fresh eyes.
>
>                                 -- Mike
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
> Sent: Thursday, February 18, 2016 10:33 AM
> To: Anthony Nadalin <tonynad@microsoft.com>
> Cc: Mike Jones <Michael.Jones@microsoft.com>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>;
> oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
>
> We are establishing a registry.  Some folks do use dynamic client
> registration.
>
> We can register it in this document or take it out and let others register
> it once the registry is established.
>
> It will be registered one way or the other.
>
> One of the reasons for starting last call is to get people to read the
> draft and comment.
> That seems to be working.
>
> If you have specific security considerations, please let us know so they
> can be addressed.   Text is always appreciated.
>
> John B.
>
> > On Feb 18, 2016, at 1:27 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
> >
> > Not sure about that. There are things that are "recommended" like the
> dynamic registration endpoint, I don't understand why this is recommended
> as a lot of folks still don't do this. There are security considerations
> about all the information that is in the discovery that have not been
> addressed.
> >
> > -----Original Message-----
> > From: Mike Jones
> > Sent: Thursday, February 18, 2016 10:18 AM
> > To: Anthony Nadalin <tonynad@microsoft.com>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; Phil Hunt <phil.hunt@oracle.com>; John
> Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > It's the OAuth-specific subset of what's already widely deployed.
> Nothing was invented - just subsetted.
> >
> > I think it's already as simple as possible unless the working group
> decides to remove even more functionality (which it can obviously do).
> >
> >                               -- Mike
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin
> > Sent: Thursday, February 18, 2016 10:13 AM
> > To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Phil Hunt <
> phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> > I also think we are way far from last call (and surprised to see last
> call issued) on this document as it is still very complex for something
> that should be very simple
> >
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes
> Tschofenig
> > Sent: Thursday, February 18, 2016 6:47 AM
> > To: Phil Hunt <phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> >
> >
> >
> > On 02/18/2016 03:06 PM, Phil Hunt wrote:
> >> BTW. I think we are FAR from Last Call on this topic.
> >
> > Thanks for your feedback, Phil. As you have seen I had issued a WGLC
> prior to your message based on the claim from the authors that they believe
> the document is finished.
> >
> > We will, of course, take all reviews into account and see where we are
> with the discovery spec. I, as the shepherd, will also do my review and I
> encourage many working group members to also take a look at the document
> and to provide their input.
> >
> > Ciao
> > Hannes
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>