IETF Logo Mail Archive

Re: [rtcweb] WebRTC REF for OAUTH based TURN

Harald Alvestrand <harald@alvestrand.no> Wed, 14 March 2018 16:46 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75DA12D77A for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 09:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.31
X-Spam-Level:
X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7iISS8xJsKN for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 09:46:53 -0700 (PDT)
Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8865127337 for <rtcweb@ietf.org>; Wed, 14 Mar 2018 09:46:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id D9EEB7C392A; Wed, 14 Mar 2018 17:46:50 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LltAydUmx35W; Wed, 14 Mar 2018 17:46:50 +0100 (CET)
Received: from [192.168.3.17] (unknown [188.113.75.166]) by mork.alvestrand.no (Postfix) with ESMTPSA id E03957C371A; Wed, 14 Mar 2018 17:46:49 +0100 (CET)
To: Mészáros Mihály <misi@odu.duckdns.org>, Cullen Jennings <fluffy@iii.ca>, WebRTC WG <public-webrtc@w3.org>, RTCWeb IETF <rtcweb@ietf.org>
References: <2C22A535-0F8D-496D-B8BF-C74ACB17958C@iii.ca> <b9c34e0c-5bdb-805a-bb47-0f9de8b7d5e4@alvestrand.no> <ae24e25f-2656-9068-cebc-57cb66e984af@odu.duckdns.org>
From: Harald Alvestrand <harald@alvestrand.no>
Message-ID: <e57be084-63a8-38f0-a8c7-bc12f8242aa5@alvestrand.no>
Date: Wed, 14 Mar 2018 17:46:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <ae24e25f-2656-9068-cebc-57cb66e984af@odu.duckdns.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/7riW69tb1iYOUOXdUVANbCuVjEg>
Subject: Re: [rtcweb] WebRTC REF for OAUTH based TURN
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 16:46:56 -0000

Den 14. mars 2018 16:05, skrev Mészáros Mihály:
> 
> 
> 2018-03-14 08:37 keltezéssel, Harald Alvestrand írta:
>> Den 13. mars 2018 15:14, skrev Cullen Jennings:
>>> From a dependency point of view, I would like to note that right now the WebRTC PC spec references
>>>
>>> * draft-ietf-oauth-pop-key-distribution
>>>
>>> Which rumor has it has been replaced by 
>>>
>>> * datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz
>>>
>>> Which normatively references the following:
>>>
>>> * draft-ietf-ace-cbor-web-token
>>> * ietf-ace-cwt-proof-of-possession
>>> * draft-ietf-ace-cbor-web-token
>>> * draft-ietf-ace-cwt-proof-of-possession
>>>
>>> More discussion of this at https://github.com/w3c/webrtc-pc/issues/1642
>>>
>>> What needs to happen with all this so we can finish up the stuff WebRTC needs to reference from IETF ?
>>>
>>>
>>>
>>>
>>>
>> >From a WG product management point of view, I consider that this has not
>> deployed, and is not likely to deploy in the present timeframe, given
>> that no consensus specifiation has emerged.
>>
>> My suggestion would be to replace this text:
>>
>> An OAuth 2.0 based authentication method, as described in [RFC7635]. It
>> uses the OAuth 2.0 Implicit Grant type, with PoP (Proof-of-Possession)
>> Token type, as described in [RFC6749] and [OAUTH-POP-KEY-DISTRIBUTION].
>>  .... rest of section ....
>>
>> with
>>
>>  An OAuth 2.0 based authentication method, as described in [RFC7635].
>>
>> The amount of detail currently in the webrtc-pc document is, to my mind,
>> inappropriate for a W3C spec. If the IETF has failed to come up with a
>> single "handle" by which all this detail  can be referenced, the IETF
>> needs to solve that problem.
>>
> After the confusion around RTCIceCredential OAuth parameters in
> WebRTC-PC, I just want to close the gap between W3C WebRTC-PC and IETF
> RFC7635.
> RFC7635 is complex and confusing without a guide.
> My intention was to remove confusion and define an example guideline
> howto use RFC7635 in WebRTC context, and put all this info into the
> WebRTC-PC spec.
> 
> Now I see I went too far, and PC spec should step back and mention OAuth
> PoP only as a possible way of the key distribution, but in other hand
> the information in webrtc PC is inline with the RFC7635 example Appendix B.
> 
> Is it better to leave totally undefined howto use RFC7635 in WebRTC
> context as Harald proposed?
> I am not sure.

I think it would be better to publish an IETF document that describes
"one clear way to do it", and see if we can get interoperable
implementations of that. Then we can insert a reference to that in the
WebRTC spec when it's ready.

The current text is unimplementable because it refers to documents that
don't exist (formally) any more, which is an untenable situation.

Harald

v2.23.0 | Report a Bug | By Email