Re: [scim] Adhoc meeting at IETF 117 for anyone interested in attested Open-ID/Connect and Oauth2
"Smith, Ned" <ned.smith@intel.com> Wed, 09 August 2023 21:24 UTC
Return-Path: <ned.smith@intel.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A675C151535; Wed, 9 Aug 2023 14:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAFftAaulQL0; Wed, 9 Aug 2023 14:24:00 -0700 (PDT)
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F03E6C15106A; Wed, 9 Aug 2023 14:23:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1691616240; x=1723152240; h=from:to:subject:date:message-id:mime-version; bh=r/pw0/miu7st9Zp2Fo/5csxpXlmkwsAXqubNbmR7pBY=; b=A9tEbr9FDtdxUMa5lgeo8ljEu8XYQiWFTF/oPsgt89W+h7IlEC7gmicU hc1SIjjWDcPcex+9719t6GsWyeMWb92e1qPeO0aFpB9/KqbqayHksJvZf +YNk2Aa3/jV5e6Exh3Ah3T3gzOwqErRw1qN7zX2PCHxVLfTHMhHwoYGn4 bjfWIBjT0PdpoHcO3tCnBuEGSlCUV2xw/+C6uSNXA+tbM5dpn8BgPTZd1 jo6Ds6rMM9DDX/U6anxI9bAQahv0DbZyfESh5kGbIxx+NYheij4SxSN4V ANOQpRB47M5yhEZE2zPwouX9JbP6i2zxSdH9wM6VDUHcD3TqfwF50nGoT Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10797"; a="437589745"
X-IronPort-AV: E=Sophos;i="6.01,160,1684825200"; d="scan'208,217";a="437589745"
Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2023 14:23:59 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10797"; a="725537060"
X-IronPort-AV: E=Sophos;i="6.01,160,1684825200"; d="scan'208,217";a="725537060"
Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga007.jf.intel.com with ESMTP; 09 Aug 2023 14:23:59 -0700
Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Wed, 9 Aug 2023 14:23:58 -0700
Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Wed, 9 Aug 2023 14:23:58 -0700
Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Wed, 9 Aug 2023 14:23:58 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.172) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Wed, 9 Aug 2023 14:23:58 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nee54qEx0LnUx06uDCHSGAXyfdafyWvYl0BVjCOhqjBliBbboHIiCcDpCdoDw9/2ToW6B005ikBX6miTBOppgtlcpWfcbCM3tIGt56mAHN2T3aW5EK1a9DxyeOOZ3Hej5dP21uyKTWFZI5F9Gkg7NaoZypkMx9UfMX4yEXWMKyjIc+vjBzHHvqQq4+kGmEHUlOWCkwO32Q3K5yRXMCcpCd8XkN8VqxmKFZCdsJ/fzRSaNLsxWHpvO06Avb3HwU6F7EFm/XTsW4jdYUkQyVVrzrfhY2ITU0xx8hfQtd2gRM8shKa58O+2MsLgxvzwGvpplb8Z3UoDfOSxY0sktMrv/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r/pw0/miu7st9Zp2Fo/5csxpXlmkwsAXqubNbmR7pBY=; b=lvnGHSDoq2qbWfr/CNrABOICYUCVv8dz5KMdO5jkTD7z/Uu2A9sJahS9sTn0zvw3W6D+XuMnl6qdM49LDlZfh9aXK5Kj/B5Fn/5xHnlqRhJVcgNf4eTdfDc1VJ96GxhOrtMxTO5CJmdzeNbRelABDB/ji6GDSkS4yLnhC/3xWD/pdAac0LE46qsP5/hRGNsXsWaZmHRsqK2nU4nlfaaskIYOEk60yy1GAMiHxO1DkFGs6qmvgvI6IbGAL2XMl5X7TLCW+hcKpn1BczkJMw0+yyrzW+ctFBXjjzu8vJGvAJwOmQr0Rt29zzCU1SOiP3JvQkcModQKbTBBNmmNwvNqWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DM4PR11MB5248.namprd11.prod.outlook.com (2603:10b6:5:38b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.30; Wed, 9 Aug 2023 21:23:56 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::d02:c4ed:49e3:2400]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::d02:c4ed:49e3:2400%3]) with mapi id 15.20.6652.028; Wed, 9 Aug 2023 21:23:56 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: "oauth@ietf.org" <oauth@ietf.org>, "rats@ietf.org" <rats@ietf.org>, "teep@ietf.org" <teep@ietf.org>, "suit@ietf.org" <suit@ietf.org>, "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Adhoc meeting at IETF 117 for anyone interested in attested Open-ID/Connect and Oauth2
Thread-Index: AQHZywfNzcL1DiKzp0O3353my/eF7Q==
Date: Wed, 09 Aug 2023 21:23:56 +0000
Message-ID: <E9306E0C-4E8C-46FD-B4D2-B790B41260E3@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.75.23072301
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|DM4PR11MB5248:EE_
x-ms-office365-filtering-correlation-id: 4aa89939-42a9-4869-e8fe-08db991ef047
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AG2h6UxGUrH01YxzNweUbt8sTDPXz1LBHhACdXze37OQO0XLadiH6G46DkXgTN2U9lSmsR9hFfPTRy0U7nhVPJxGFESq8TqwkmnHPvvl2osCVdBDvXgflDZs0p1sOsdp3KqI1RO26iRHNVlBLFwrUwQBKdbslIhCEF1IkCtyLWDzCF5SoGop55Z5/9GQKwDX7L3IRIwbmdWv9yyrpQ4z57xqcGgj6acJvCbScGtw5xzODsEHWchAuQcrE09Xlhu2I3ivKl1PGOlN2STps+YKf1BXdWn15qhsrv6Mk6Zmaoznw8SX5j3T8dVXLt2w3olxSWJPglZ+/aSpoNZsBuG2lJymlBQs5QIjemzqFCG0mnfdN1FnZuIJPI9o48cNAw31rgGSNqGPgo+RmrWo45fQ2VteOqFOnKsQGt7aoYmqxJJO297iVRuIl21GtMy/s5+/3iqPvuFrzPNk+7h1sWLPsDcV6Gs8C+KG+3BZV/cHphissz9mMdQIc+w6j4DP4YM/Ys7T7TtPboIic4CUNMDjFRR/BYXBvOUymJXyaz6knv/n/5n5NHlvP2rMNCQ81x/XxhvKdFSaFQmgJa7ppIlJ1jOLDbH51FPdktNtTCg3W6fAHgAM+Pt3msjIn2fOAcXf/YSC9kkneY7As6KLbql8VaOTjpFi+rXSFe/aeZUTJHHIKYN1338ZYLseUaKzfaQN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(136003)(366004)(376002)(346002)(186006)(451199021)(1800799006)(83380400001)(110136005)(19627235002)(8676002)(8936002)(64756008)(66446008)(66476007)(66556008)(316002)(41300700001)(66946007)(76116006)(450100002)(33656002)(82960400001)(6486002)(122000001)(6512007)(966005)(38100700002)(6506007)(26005)(86362001)(38070700005)(2616005)(478600001)(5660300002)(36756003)(71200400001)(2906002)(166002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m2SYFz0CBN6yikjHxEBArtAsqWBL08hjCfURKzevGpsS6QflHV/Yc8W5KzvpjmbDZaDj6LShqhfaglDLEvLlk81kNs3bZOnUEP+p4auJmt36POz++56w84t5L6jCVeiDiOWOTfLuJMAMP1OGN2pGgQsCPoIPQ5pqAcCuC1sZv6lQd3i8I2zNRJsKDhVcLhrbCmBKv/hvrkwOqhfd2lMBbQHR0NPh+ThZCuxWetxt1s/Va7h61hY38jVKtlVGA5Z9rFuBPEXIq9c87LOylKRz2lg5IyOSs3DmgMrjcNmUtX4CgsiDXOV5NjHvMNCkTzwgCHcsa/ieXNlJWUSSBbz0ukxi3F/7r05MbxYGk/Ysf0fXNXkVy6hqiyOEJGbGsXh1+ZUyGeAwS8lJZ4BoW/8wxo0H3xe+70zB+68Li54TGgtUEsB22PXH3bCLcejfs5nL/3Bt4B/UVUoTuV0WMLeHQwNwOmCeZbIju8h6q4QwFlrTLhxoF6Fu2e0AgG5Fc4G3WEuHtn5Nq7snoYsKLu+Oq7dnxB8C1tE8tAoxR4+yhitSFg6i96WaDxteddFw1mRDQ2AzsD63ZWYpf+4lMs65xoijxTfZBqxzNrobitSYRrp1zmRTiRKj+3arhxWrwooFoaHy1MXr+20N0EzM000ujw8b/RGOMc718DoZ0EPRLSaF3XAbxnmkw+kGVjqBGj0sQS5SADhIQ4mNlTS4v12cEqbyn3Uy2xSqsY3cj8NAyX7E/iq6ySDtUcf9yeDOTc2vu6eIAhoisHsYfM/2ita5U0rQJ834+5FfFH8LxFbSoWGt+qTQkkTmBrEbFQNIu+gIYoPPOD9sMzLzhb9fVhkZ80gwp9m4/OYWallrMDLWOYrNHGHMiLJwVQAOl5B2fopXHltNWGwv2ncOKjd4Ec5tD/OP9fQUq4f9nqUh+jHU0H/dAz1Ec9bR9ZvR+VY4wwMVbnoMLpDOXvbb/z//C/VmEh+gleLKy5YZbvTthXuDSagnblGynazl7/BpwjH6UKJvv+CcxSrbcT4AV5gV8qqlfZZ8a86kxodGDM+dyQdSsnMSty7trRPqqYv+fWF1TMp9UX6TiAf53a724iDxSkik2ODsN0jd+ungU/u35gkJ3hwAKrKW/EU6/O9Kjzp2TESm5Lu49tf/IIwQEQJjeyTWfEaVUox03BTAr8odD2Z27/LzsKdwXcgu4GE71w5lKVh7PcNK3WFWVgpWbnCbgPRvkrUnJpkCSsJCvMYRPK3IBUa2p5/t//JRILBla5/dq7Lby/mLtuQ9vaFmaVuEyFDIDZILMRcaWxnDqxgilyqY/ZVNbionXNGNwFiYmaS+Ldc59ZmsZHc2z/tE1w2DYsl0N7udDgXxm3/3FG2XTmjS4mGkQpZoiiptFgE5VFo7Qpb74oDZHByPXcCY4nwd/cUR70Jnhp24EVN3n+RCxcF3DJECXdNTNlXM06jnDEi4g7GTnf7Gypy/NYeXr5NktkxOO9h4Zo8a9fs3iWSejFeBOulT0ZBO2nn8Uugux3RjD61OIKD01+7bWmytn++O7Cpoh2WtIvFqhUB0gySPbH0CgHnvNDyGca4HFYx9n5uAQVsmNp/eQ5yRtJeTShrTHZEcjw==
Content-Type: multipart/alternative; boundary="_000_E9306E0C4E8C46FDB4D2B790B41260E3intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4aa89939-42a9-4869-e8fe-08db991ef047
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2023 21:23:56.2190 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: prHjQNBQrug6Zc8O7q/Tlnh0KZt2ocm32NHvTeDNrrer8Vst/Qq7ceQ5Zk20CbhD1eUdrmQhvEP6w8jXofnCIQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5248
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/Ki7BdTspkE8edvVTByMuBbr_6Ko>
Subject: Re: [scim] Adhoc meeting at IETF 117 for anyone interested in attested Open-ID/Connect and Oauth2
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2023 21:24:04 -0000
Folks, We had a side-bar meeting at the IETF117 last week in San Francisco, regarding the possible use of OpenID-Connect/OAuth2.0 as a mechanism to deliver RATS-based device-attestation. The meeting was attended by about 15 people, mostly from the Identity community (folks who regularly attend OAuth2.0, OIF and IWW). From the start of the discussion, it was clear that there was some terminology mismatch between the various folks & communities. For example, in the OAuth2.0 language the word "Client" is typically used to mean the service which is being driven by the user (e.g., to authorize access to a Resource Server (RS), which is typically also a RESTful web-based service). However, in RATS and TCG language, the "Client" often means the hardware device (in the possession of a user) which will generate evidence regarding the composition (hardware, firmware, software) of the device. Some folks also mentioned interesting use-cases that the RATS community perhaps have not previously considered. For example, prior to connecting to the RS it is possible that the OAuth2.0 Client (e.g., hosted by a provider) may seek device-attestations from RS machine itself (and vice versa). All in all, we believe that a productive next step would be a discussion on the RATS mail-list regarding common Terminology, something that is meaningful to the RATS community as well as the broader IETF community. There are 3 I-Ds that are in early stages that seem to be describing aspects of a comprehensive approach to attestation for identity infrastructures: https://datatracker.ietf.org/doc/draft-looker-oauth-attestation-based-client-auth/, https://datatracker.ietf.org/doc/draft-tschofenig-oauth-attested-dclient-reg/, https://datatracker.ietf.org/doc/draft-sh-rats-oidcatt/ Referring to these drafts for context (and possible disagreement) may help with the conversation. I’m cross posting to several working groups, but the discussion thread will be exclusive to the RATS WG (rats@ietf.org). Best Ned & Thomas