Re: [rtcweb] WebRTC REF for OAUTH based TURN
Mészáros Mihály <misi@odu.duckdns.org> Wed, 14 March 2018 15:05 UTC
Return-Path: <misi@odu.duckdns.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D363A126C19 for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 08:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.363
X-Spam-Level:
X-Spam-Status: No, score=0.363 tagged_above=-999 required=5 tests=[RDNS_DYNAMIC=0.363] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KN8tLSfMlkFv for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 08:05:31 -0700 (PDT)
Received: from odu.duckdns.org (business-178-48-31-65.business.broadband.hu [178.48.31.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A61411200B9 for <rtcweb@ietf.org>; Wed, 14 Mar 2018 08:05:31 -0700 (PDT)
Received: from alma.ki.iif.hu ([193.6.222.35]) by odu.duckdns.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <misi@odu.duckdns.org>) id 1ew7y1-000593-Bb; Wed, 14 Mar 2018 16:05:25 +0100
To: Harald Alvestrand <harald@alvestrand.no>, Cullen Jennings <fluffy@iii.ca>, WebRTC WG <public-webrtc@w3.org>, RTCWeb IETF <rtcweb@ietf.org>
References: <2C22A535-0F8D-496D-B8BF-C74ACB17958C@iii.ca> <b9c34e0c-5bdb-805a-bb47-0f9de8b7d5e4@alvestrand.no>
From: Mészáros Mihály <misi@odu.duckdns.org>
Message-ID: <ae24e25f-2656-9068-cebc-57cb66e984af@odu.duckdns.org>
Date: Wed, 14 Mar 2018 16:05:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <b9c34e0c-5bdb-805a-bb47-0f9de8b7d5e4@alvestrand.no>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/ZPiCIi5hOrWEFnKJtEYScl30veU>
Subject: Re: [rtcweb] WebRTC REF for OAUTH based TURN
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 15:05:33 -0000
2018-03-14 08:37 keltezéssel, Harald Alvestrand írta: > Den 13. mars 2018 15:14, skrev Cullen Jennings: >> From a dependency point of view, I would like to note that right now the WebRTC PC spec references >> >> * draft-ietf-oauth-pop-key-distribution >> >> Which rumor has it has been replaced by >> >> * datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz >> >> Which normatively references the following: >> >> * draft-ietf-ace-cbor-web-token >> * ietf-ace-cwt-proof-of-possession >> * draft-ietf-ace-cbor-web-token >> * draft-ietf-ace-cwt-proof-of-possession >> >> More discussion of this at https://github.com/w3c/webrtc-pc/issues/1642 >> >> What needs to happen with all this so we can finish up the stuff WebRTC needs to reference from IETF ? >> >> >> >> >> > >From a WG product management point of view, I consider that this has not > deployed, and is not likely to deploy in the present timeframe, given > that no consensus specifiation has emerged. > > My suggestion would be to replace this text: > > An OAuth 2.0 based authentication method, as described in [RFC7635]. It > uses the OAuth 2.0 Implicit Grant type, with PoP (Proof-of-Possession) > Token type, as described in [RFC6749] and [OAUTH-POP-KEY-DISTRIBUTION]. > .... rest of section .... > > with > > An OAuth 2.0 based authentication method, as described in [RFC7635]. > > The amount of detail currently in the webrtc-pc document is, to my mind, > inappropriate for a W3C spec. If the IETF has failed to come up with a > single "handle" by which all this detail can be referenced, the IETF > needs to solve that problem. > After the confusion around RTCIceCredential OAuth parameters in WebRTC-PC, I just want to close the gap between W3C WebRTC-PC and IETF RFC7635. RFC7635 is complex and confusing without a guide. My intention was to remove confusion and define an example guideline howto use RFC7635 in WebRTC context, and put all this info into the WebRTC-PC spec. Now I see I went too far, and PC spec should step back and mention OAuth PoP only as a possible way of the key distribution, but in other hand the information in webrtc PC is inline with the RFC7635 example Appendix B. Is it better to leave totally undefined howto use RFC7635 in WebRTC context as Harald proposed? I am not sure. Misi
- [rtcweb] WebRTC REF for OAUTH based TURN Cullen Jennings
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Harald Alvestrand
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Mészáros Mihály
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Harald Alvestrand
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Mészáros Mihály