IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

Phil Hunt <phil.hunt@oracle.com> Tue, 04 February 2014 19:05 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3326A1A01CD for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 11:05:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.736
X-Spam-Level:
X-Spam-Status: No, score=-4.736 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FzPhIbJfop13 for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 11:05:45 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id EB75C1A01E7 for <oauth@ietf.org>; Tue, 4 Feb 2014 11:05:44 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s14J5fsG025781 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Feb 2014 19:05:42 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s14J5eHr016824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 4 Feb 2014 19:05:41 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s14J5dUP010825; Tue, 4 Feb 2014 19:05:40 GMT
Received: from [192.168.1.124] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 04 Feb 2014 11:05:39 -0800
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <576f34cc19fb4926978a5078504f3476@BLUPR03MB309.namprd03.prod.outlook.com>
Date: Tue, 04 Feb 2014 11:05:37 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <64767C7A-41C8-43C0-9387-A52CE4A8CAE0@oracle.com>
References: <52E87DE4.1070000@gmx.net> <576f34cc19fb4926978a5078504f3476@BLUPR03MB309.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1510)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:05:47 -0000

Some discussion below…

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On 2014-02-03, at 9:26 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:

> So it's a tiny bit better but not sure it has captured all of what was being proposed to fix the original, still not there.
> 
> 1. The signature on the software statement should be optional 

Signatures should be REQUIRED.  Unsigned data should be passed in the normal registration request.  The point of the statement is to "lock" the registration metadata between instances.  

> 2. The software statement should be an assertion, the assertion can be whatever profiles exist, I understand the desire this to be a JWT but that is too limiting, for interop purposes this could be  as JWT assertion.

Not sure I understand the distinction here. Are you suggesting that a SAML assertion should also be acceptable?  I guess it doesn't matter as long as the servers are prepared to handle it.  

This is brand-new functionality, so I'm not sure why other assertions are important. Can you give a case where a non-JWT assertion would be beneficial?  e.g. are you thinking it might be easier to extend an existing MS signed software assertion with dyn reg metadata than create new JWT assertions?
> 3. The idea was to be able to remove the client secrets to reduce required management for secrets, we need to get away from this

I agree on this. But in IETF Vancouver there was a general disagreement around use of client_secrets.  Some of us interpret secrets as being passwords only while others are passing assertions as secrets.  I think this is where some of the debate/confusion is stemming from.

I would like to:
a.  clarify that secrets are passwords (this is not the way to pass assertions even though they may behave like passwords to a client)
b.  the use of passwords should be discouraged

As new functionality (no legacy), I would like to drop support for the use of passwords (secrets) for managing client registration profiles.
> 
> 
> 
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Tuesday, January 28, 2014 8:05 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
> 
> Hi all,
> 
> as you have seen from the meeting minutes of our recent status chat it is time to proceed with the dynamic client registration work.
> 
> The earlier version of the dynamic client registration document was split into three parts, namely
>  (1) the current working group draft containing only minimal functionality,
>  (2) a document describing meta-data, and
>  (3) a document containing management functionality.
> 
> This change was made as outcome of the discussions we had more or less over the last 9 months.
> 
> The latter two documents are individual submissions at this point. New content is not available with the recent changes. So, it is one of those document management issues.
> 
> I had a chat with Stephen about WG adoption of the two individual submissions as WG items. It was OK for him given that it is a purely document management action. However, before we turn the documents into WG items we need your feedback on a number of issues:
> 
> 1) Do you have concerns with the document split? Do you object or approve it?
> 2) Is the separation of the functionality into these three documents correct? Should the line be drawn differently?
> 3) Do you have comments on the documents overall?
> 
> We would like to receive high-level feedback within a week. We are also eager to hear from implementers and other projects using the dynamic client registration work (such as OpenID Connect, UMA, the BlueButton/GreenButton Initiative, etc.)
> 
> For more detailed reviews please wait till we re-do the WGLC (which we plan to do soon). We have to restart the WGLC due to discussions last years and the resulting changes to these documents.
> 
> Ciao
> Hannes & Derek
> 
> PS: Derek and I also think that Phil should become co-auhor of these documents for his contributions.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email