Re: [rtcweb] WebRTC REF for OAUTH based TURN
Sean Turner <sean@sn3rd.com> Wed, 14 March 2018 09:59 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89F9128954 for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 02:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5hlo9umtQ6Z for <rtcweb@ietfa.amsl.com>; Wed, 14 Mar 2018 02:59:55 -0700 (PDT)
Received: from mail-pg0-x22c.google.com (mail-pg0-x22c.google.com [IPv6:2607:f8b0:400e:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B8A127909 for <rtcweb@ietf.org>; Wed, 14 Mar 2018 02:59:55 -0700 (PDT)
Received: by mail-pg0-x22c.google.com with SMTP id r26so1133900pgv.13 for <rtcweb@ietf.org>; Wed, 14 Mar 2018 02:59:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U98+SJqjrr9dg9/fIMelX2ayO0wPzcnsPmx1VPEFxk0=; b=gPWwNA4pmtWghknPwq+xclfZLdx6cAxKu3FmKDwMUmtk7aTPyqhsSC8VACAUxbgss6 wu/1nVCGPXkwKgQ4gT1bqcoh8z+lZWMvp1fNtWik01N5mY3DthttC7mEx3RI2+Vom6+7 T0NGoupKP/QYCqv5/0lPAaPXlTVTBvwOu8VCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=U98+SJqjrr9dg9/fIMelX2ayO0wPzcnsPmx1VPEFxk0=; b=UEiaGw+oPh28jLL6tH3Y5l3O7ebyEoI+ILjRCiqbhPIvnDlYI7+BYBTfb2hTfR0kiv jep1i1fn90XG7COlWyqVuP7TiP/Xs2lWHrQWOHXqqBZRrFly482QExmTCM5Ta2c0rDIw ThtrXejS/NFYqCgOy5jH2TT2ZOSz6QC4bO7sbqTvYIOFydGnbCcr2x0axzw8gzpclg11 wIoZkGKe/AXZ+1AhdNES4Dtk4a/0B0L5Mder9g+4PqRvNXjxUw/9PvOlLBGdEQ1vIZN3 sxAbGOoJNyHBqxvojPTZeSAWwaSdPyeCg/vp2iNbOfzPKzdAVErRrgZ5x5v9d1cHNmZ/ O0aQ==
X-Gm-Message-State: AElRT7E+L9uBFuRapQxqE4ic2uQ2iZ6r67P1J2gvfPMs8m+Kv8qU7Fdu kajpFxQDhpv5B6ALMOlufLyigA==
X-Google-Smtp-Source: AG47ELt6OM2JhlgkTbS7lv7FSiuxAy81brCtipbGrvy0pdyrcO5xZzCVYgKQR1MViGxw2jv7knyTNg==
X-Received: by 10.167.129.24 with SMTP id b24mr3678765pfi.183.1521021594732; Wed, 14 Mar 2018 02:59:54 -0700 (PDT)
Received: from [5.5.33.158] (vpn.snozzages.com. [204.42.252.17]) by smtp.gmail.com with ESMTPSA id r30sm4769713pff.7.2018.03.14.02.59.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Mar 2018 02:59:53 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <B990AF4F-9FA9-4C90-9D2F-8EDEA990E06C@sn3rd.com>
Date: Wed, 14 Mar 2018 09:59:46 +0000
Cc: Cullen Jennings <fluffy@iii.ca>, WebRTC WG <public-webrtc@w3.org>, RTCWeb IETF <rtcweb@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1A1A6CB8-A85A-431C-8BD0-CB80B51E002D@sn3rd.com>
References: <2C22A535-0F8D-496D-B8BF-C74ACB17958C@iii.ca> <b9c34e0c-5bdb-805a-bb47-0f9de8b7d5e4@alvestrand.no> <B990AF4F-9FA9-4C90-9D2F-8EDEA990E06C@sn3rd.com>
To: Harald Tveit Alvestrand <harald@alvestrand.no>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/ozK2Fm51F13Y42afMBEJ_n0T0tM>
Subject: Re: [rtcweb] WebRTC REF for OAUTH based TURN
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 09:59:57 -0000
> On Mar 14, 2018, at 09:33, Sean Turner <sean@sn3rd.com> wrote: > > > >> On Mar 14, 2018, at 07:37, Harald Alvestrand <harald@alvestrand.no> wrote: >> >> Den 13. mars 2018 15:14, skrev Cullen Jennings: >>> >>> From a dependency point of view, I would like to note that right now the WebRTC PC spec references >>> >>> * draft-ietf-oauth-pop-key-distribution >>> >>> Which rumor has it has been replaced by >>> >>> * datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz >>> >>> Which normatively references the following: >>> >>> * draft-ietf-ace-cbor-web-token >>> * ietf-ace-cwt-proof-of-possession >>> * draft-ietf-ace-cbor-web-token >>> * draft-ietf-ace-cwt-proof-of-possession >>> >>> More discussion of this at https://github.com/w3c/webrtc-pc/issues/1642 >>> >>> What needs to happen with all this so we can finish up the stuff WebRTC needs to reference from IETF ? >>> >>> >>> >>> >>> >> >>> From a WG product management point of view, I consider that this has not >> deployed, and is not likely to deploy in the present timeframe, given >> that no consensus specifiation has emerged. >> >> My suggestion would be to replace this text: >> >> An OAuth 2.0 based authentication method, as described in [RFC7635]. It >> uses the OAuth 2.0 Implicit Grant type, with PoP (Proof-of-Possession) >> Token type, as described in [RFC6749] and [OAUTH-POP-KEY-DISTRIBUTION]. >> .... rest of section .... >> >> with >> >> An OAuth 2.0 based authentication method, as described in [RFC7635]. >> >> The amount of detail currently in the webrtc-pc document is, to my mind, >> inappropriate for a W3C spec. If the IETF has failed to come up with a >> single "handle" by which all this detail can be referenced, the IETF >> needs to solve that problem. > > This seems to be like the right approach. > For more info: draft-ietf-ace-oauth-authz Says: COSE is used to secure self-contained tokens such as proof-of-possession (PoP) tokens, which is an extension to the OAuth tokens. The default token format is defined in CBOR web token (CWT) [I-D.ietf-ace-cbor-web-token]. ace-cbor-web-token is in Approved-announcement to be sent::Revised I-D Needed for 6 days with no DOWNREF.. spt
- [rtcweb] WebRTC REF for OAUTH based TURN Cullen Jennings
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Harald Alvestrand
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Sean Turner
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Mészáros Mihály
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Harald Alvestrand
- Re: [rtcweb] WebRTC REF for OAUTH based TURN Mészáros Mihály