Re: [SPICE] [OAUTH-WG] SPICE will not support JSON, JWT or SD-JWT
Michael Prorock <mprorock@mesur.io> Fri, 15 December 2023 23:45 UTC
Return-Path: <michael.prorock@mesur.io>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1C5C14F5E2 for <spice@ietfa.amsl.com>; Fri, 15 Dec 2023 15:45:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mesur-io.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mcz2Qy02N_wi for <spice@ietfa.amsl.com>; Fri, 15 Dec 2023 15:45:36 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50BAEC14CF15 for <spice@ietf.org>; Fri, 15 Dec 2023 15:45:36 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-50bf2d9b3fdso1614993e87.3 for <spice@ietf.org>; Fri, 15 Dec 2023 15:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mesur-io.20230601.gappssmtp.com; s=20230601; t=1702683934; x=1703288734; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vJDoDwQievj+Uv6CaavXpQN3+RrO1oIyEGv5jAQEW0Q=; b=lzXIUa1A4oLCjo/HuXU9mnhynwf1FgmWsQPpdAgx2YIlxv2tpX5zNyVf+M8g3gihFX hNHjyVuuRaan9LxivqbXiTvu4v5YZHp1WHimnBHeiAttNGLTGFSn3daJbiTMqY7mQ7L3 /6+pVVRL6T9NLRw+gmFsrWE4K/WK40UgSaleBxJ9OnE+Sve5pMPZF1Li1hFRWgx3ri1y zA4zn+MZKNlrma7eTygp8P/3uwo7gWrs9fnIgZUPTaOymbGPJZj16czWbq60owMxNcgR BIsHzAGZbD+V8Ou6ievC/EbAiyJp2we86x41Qn3MlP+d3Jv2EUSsd4ZOfTT1Koa22amv GJ+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702683934; x=1703288734; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vJDoDwQievj+Uv6CaavXpQN3+RrO1oIyEGv5jAQEW0Q=; b=NdCInxmq7FIJxl5IqRJIHf2oGWo+Klfe4LbBKBdNUWNcSB7ahsk+6sHsSNIg/ngie4 pN5iEklBhkMUp9yuM7k2M2XfIP31uFWanqAn+IZITmGkUGTKkwT1eTK/OKb4502vCH2r 8GeJAWrLZMW/h9GFXCMudV884ToqFP94Di8gX+VfIRH0nsdzBE413sl024H/q+DFDnom Ju2Kbpir17kG2qikwiktK25sLL4GhmRIph3Aaz/IyA+APdqjVVJlqvVRiex9+umhcUXB +hrKYii0txkAnLlGlrTHGxOX7j+LkBTj4FKpnnnp2h+SyPgLfJSVMcuXsiIPZZlJjM75 DEKw==
X-Gm-Message-State: AOJu0YyCHpqyTdNx3srDNoV9ke+l5VrqPS9GKu+4GWZ+6SO6qMQR/BZx 9akmbLUf5pkB85tbPN+gg4a3gGAKq4cbE2QJBQwq
X-Google-Smtp-Source: AGHT+IE7Xpcze/3QGwCWfAHnu8QgcGRZVzydZwuQPSpJzkx0/W2ackDHRwg68BEGgkPiYJQvGzkzM+Em6meyY5Sw4+k=
X-Received: by 2002:a05:6512:48da:b0:50b:f1e9:b0ea with SMTP id er26-20020a05651248da00b0050bf1e9b0eamr6277638lfb.100.1702683933379; Fri, 15 Dec 2023 15:45:33 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_L32ME0JDsxFsake3sNu_xU6fSRnFzhGzpiphkmyt1haA@mail.gmail.com> <5CCA9E39-7BDE-48DC-B23F-F0F881B87ED1@mit.edu> <CAJot-L1myjeJFpdmhsaOhFNDTJ5hhbaK-gq_1at4wWkGNospOg@mail.gmail.com> <CAHu=PL3Pc4bpphj4jKAbm=QVP8EjNYXKrP0Q=GDhvR2L8qrW_g@mail.gmail.com> <f715bd7f-3f57-1809-1736-d0445fbf0738@free.fr> <CAN8C-_LaOJgp67oz_vxHBuzka00eNSJR4Akq9AKz5nquRbjApw@mail.gmail.com>
In-Reply-To: <CAN8C-_LaOJgp67oz_vxHBuzka00eNSJR4Akq9AKz5nquRbjApw@mail.gmail.com>
From: Michael Prorock <mprorock@mesur.io>
Date: Fri, 15 Dec 2023 16:45:24 -0700
Message-ID: <CAGJKSNS7gCjUkrraBU2asKHq2-xfCz5K0hu97rdAUZYT4UfADA@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Denis <denis.ietf@free.fr>, spice@ietf.org, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="00000000000003ab31060c94ff6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/nuuBcxiPR5ZkqC7A7xuoeHHYpzs>
Subject: Re: [SPICE] [OAUTH-WG] SPICE will not support JSON, JWT or SD-JWT
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 23:45:40 -0000
Orie. I couldn't agree more. Thanks for getting this in place where hopefully we can move forward with it. Mike Prorock CTO - mesur.io On Fri, Dec 15, 2023, 07:37 Orie Steele <orie@transmute.industries> wrote: > Denis, > > I didn't comment on your initial email, since we have discussed much of > this on the SPICE calls, > and I believe you know my position on all these points, but since you > asked for a response on the list, > I am providing one inline: > > On Fri, Dec 8, 2023 at 10:57 AM Denis <denis.ietf@free.fr> wrote: > >> + 1 to Justin >> >> >> >> >> *Let us start with what I agree with. What I agree with in the proposed >> charter: * >> "The SPICE WG will develop a framework in support of the 'Three Role >> Model', selective disclosure, and unlinkability". >> >> One participant from the OAuth mailing list mentioned that the >> unlinkability property between verifiers was out of the scope of SD-JWT. >> However, it is possible to adapt the mechanism described in SD-JWT to >> support the unlinkability property between verifiers when using batches of >> one-time-use credentials. >> Such an approach would provide a smooth transition to support the unlinkability >> between verifiers while specifying another mechanism able to support the >> unlinkability >> between verifiers while using a single credential. >> >> That's all that I agree with. >> >> >> >> >> >> * Let us continue with what I disagree with. What I disagree with in the >> introduction section: * >> 1) "Digital credentials based on IETF standards have use cases ranging >> from personal credentials, such as drivers licenses and vaccination proofs, >> to business-to-business or business-to-government applications;" >> >> Add: "Consumer-to-Business, Consumer-to-Government* , ..."* >> >> "One example is fraud and counterfeiting prevention in cross-border trade >> documents by protecting digital representations of mill test reports, >> bills of materials, bills of lading, or commercial invoices". >> >> These examples are not appropriate since they involve the use of >> electronic signatures or of electronic seals. Please remove this sentence. >> >> > As we've discussed several times, our use case is general purpose > digital credentials, not credentials exclusively for natural persons owning > a smartphone. > >> >> 2) "These scenarios were addressed with registered claim names in JOSE >> and COSE, but resulting solution have lead to fragmented approaches, >> where each working group rediscovers the essential architecture and >> conventions necessary for issuers to make claims about subjects". >> >> "registered claim names" while useful cannot address all business needs. >> Claim names not registered by IANA need to be considered and supported. >> >> > This is true of JOSE and COSE today, there is a section reserved for > private use, and private claim names. > This is one of the few places where the charter attempts to narrow scope, > and it seems unlikely that you will convince the group to widen here. > >> >> 3) "The SPICE WG focuses on a few explicit higher level objectives: >> >> (a) unreliability enabling trustworthy exposition of minimal required >> information to prevent correlation and other attacks, >> (b) selective disclosure enabling controlled exposition and an >> authorized subset of linkability, >> (c) a well-curated, concise claim vocabulary enabling cross-domain >> interchangeability via registration authorizes (i.e., IANA)." >> >> (a) the item (a) is not understandable: "unreliability"? >> (b) "selective disclosure" is fine, however, the remaining of the >> sentence is not understandable. >> (c) See above: Claim names not registered by IANA also need to be >> considered and supported. >> >> > Thanks, I've refined that sentence here: > https://github.com/transmute-industries/ietf-spice-charter/pull/16 > >> >> 4) "These objectives can be achieved by leveraging industry adopted >> standards and managing trade-offs between cutting-edge and well-established >> cryptography". >> >> The wording " by leveraging industry adopted standards and" should be >> removed, since this would prevent creativity. >> >> > I disagree, we have been asked to narrow scope and opening things up here, > such as working with new formats, or inventing new formats, would be a > mistake in my opinion. > > As an example, we could reinvent all of JOSE and COSE in Protocol Buffers, > should our charter allow us to do that? > >> >> 5) "As a guiding principle for the SPICE WG, claims that work well in >> JSON must work well in CBOR, without loss of semantics. >> Compact expressions of claims consume less resources and expose less >> attack surface, these properties are in support sustainable design". >> >> As already said, claim names not registered by IANA also need to be >> considered and supported. In order to consume less resources for >> transferring data, >> the use of template or schemas able to make references to other templates >> or schemas should be considered. Template or formats are essential >> for interoperability and to facilitate the encoding of the data as well >> as the automatic validation of received data. Template or formats can >> constraint >> an element to be an object, array, string, number, boolean, or null or >> constraint an element to be a member of a set of values. >> >> > I'm interested in registered claim names for "template" / "schema" / "data > definition" links. > > We don't need to register every private claim, if we have a way to > understand them, that is well known and understood. > > For JSON, that might mean registering `@context` for JSON-LD, `schema` for > JSON Schema, etc... but that's the kind of detail that does not belong in > the charter. > >> >> 6) "The SPICE WG will support digital credential formats leveraging >> existing IETF standards and IANA registries, " >> >> Considering only "*existing IETF standards*" would prevent to address >> new technologies. >> As already said, claim names not registered by IANA also need to be >> considered and supported. >> >> I disagree. > >> >> 7) "Digital credentials are identity documents with attributes (public or >> private claims in IANA registries) about the identity". >> >> As already said, claim names not registered by IANA also need to be >> considered and supported. >> >> > I disagree. > >> >> 8) "The identifiers referenced could be about any subject, but common >> examples include people, devices, assets, organizations and processes". >> >> Only individuals should be considered. When individuals are considered, >> primary requirements come from a privacy perspective (collection >> limitation, user consent;, etc) >> Devices, assets, organizations and processes should be out of the scope. >> >> I disagree. > >> >> 9) "*Examples of producing and consuming digital credentials with the >> "Three Role Model" include credential endorsement by third parties,* >> credential trustworthiness >> via remote attestation evidence appraisal for issuers, or credential >> transparency via notarization". >> >> "credential trustworthiness via remote attestation evidence appraisal for >> issuers" is not understandable, >> "or credential transparency via notarization". Since the communication >> between an Holder and a Verifier is a direct, there is no need for >> notarization. >> >> >> > I disagree, this sentence is related to well known concepts such as > identity proofing, and requirements that an issuer might have on a digital > wallet before provisioning a credential, see: > > https://pages.nist.gov/800-63-FAQ/ > > >> *What I disagree with in the in-scope section* >> >> 10) "The work of the SPICE WG aligns JWT and CWT registered claim names >> ..." >> >> As already said, claim names not registered by IANA also need to be >> considered and supported. >> >> I disagree. > >> >> 11) "The framework will provide an architecture that enables consistent >> application of JOSE and COSE, " >> >> JOSE and COSE are mostly used for the transfer of data that contain an array, >> a string, a number or a boolean associated with a claim name. >> However, a credential "template" should first be advertised by an Issuer >> to both Verifiers and Holders. JOSE or COSE formats are not adequate for >> that purpose. >> >> When using BBS+, data objects transmitted between an Holder and a >> Verifier will be HEX encoded and, in addition to an header, will contain >> indexes >> and values (usually up to 32 bytes). Claim names, whether they are >> registered or not by IANA, are of no use at that stage. JOSE or COSE may or >> may not be >> adequate for the transfer. The argument raised later on, i.e. "Compact >> encoding matters and aligning JSON and CBOR provides the basis for simpler >> interoperability >> and smaller specification" is not necessarily valid. >> >> > BBS is in scope, to the extent that it is supported by JOSE and COSE.... > it's currently in a draft format, but I believe it's possible to start > building on... W3C is already trying to build on top of it. > > The approach taken there is to turn application/vc+ld+json into > application/n-quads (an expensive operation on untrusted data), and then > use the nquads to produce the message set input to BBS. > > We've tested this approach and it has scaling issues, we'd like to see a > simpler approach adopted for digital credentials. > >> >> >> *What I disagree with in the out-of-scope section * >> 12) "The working group will NOT address transport protocols, such as >> those developed at OAUTH, OIDF, W3C or ISO in the scope of its initial >> charter." >> >> There is a need to support a credential request protocol different from >> the one specified by ODIF. It should be based on the use of credential >> templates or schemas. >> It should allow the individual to select which set of claim names and/or >> values should be incorporated. It should also be efficient when issuing or >> renewing batches >> of one-time-use credentials. Generally speaking, the working group >> should either define or reference the protocols that will need to be used. >> >> The reason this sentence is there, is that folks wanted to be able to use > SPICE formatted digital credentials in other protocols... it also helps us > narrow scope. > Widening scope here will make the charter less achievable in my opinion. > >> >> 13) "The working group will NOT address specific credential use cases, >> such as "personal credentials ... " >> >> I wonder what is meant by using the wording " personal credentials". >> Credentials issued to human beings should be the single use case to >> consider. >> >> Vertical specific use cases are out of scope. This is an area where we > could narrow further... we could focus only on credentials for humans, > dogs, or products... > > Based on the conversations we've had, there does not seem to be strong > consensus to narrow scope to a single vertical. > >> >> 14) "The SPICE WG's work items will not require nor forbid the use of >> JSON-LD". >> >> Such a sentence will not help to achieve interoperability, since >> credential "templates" should be advertised by an Issuer to both Verifiers >> and Holders. >> >> > This sentence is critical to distinguishing SPICE Digital Credential > formats from W3C Verifiable Credential formats, it was requested by W3C > Members. > > The goal is for SPICE to be less opinionated about application layer media > types (json-ld is the only supported claims format), > and more opinionated about security (sign and verify operations are not > trivial to exploit, when input data is not carefully validated against > known schemas). > > As I pointed out earlier, this sentence does not preclude using SPICE to > secure JSON-LD or JSON Schema... it just doesn't force us, in our > charter... to all support the same schema language. > > The W3C VCWG charter also did not force that group to only do JSON-LD, but > that ended up being what the working group consensus reflected, > and part of that consensus was to do none JSON-LD work in other places, > such as ISO, IETF or ... other places... that's part of why we are having > this discussion here. > > Based on our experience working with digital credentials, we don't believe > that forcing people to learn a schema language to issue, present and verify > is a path to success. > > We also believe, based on our experience working in this space, that > forcing implementers to copy syntax that they don't understand, and telling > them they don't need to understand it, is misleading and harmful. > > Since you seem to disagree with me frequently on this point, > I encourage you to apply for invited expert status to the W3C VCWG, > I am sure you will find many people there who strongly agree with you. > > More candidly, much of what you wish to discuss continues to be > inappropriate for a charter document, but very appropriate for a working > group... > > I hope we can continue these discussions in a working group with an > approved charter. > > >> *Other comments * >> >> The wording used in this proposed charter is only the tip of the iceberg. >> Other considerations are missing, such as: >> >> - how can the application used by the individual know which set of claims >> and/or *which kind of proofs *will be required by the Verifier >> in order to allow the application to perform an action related to a >> specific purpose ? >> >> This sounds like a thing to discuss in a working group, assuming a > charter was accepted. > >> >> - how can the user know that he can trust what is presented in the >> display and that his entries will not be intercepted by a rogue application >> ? >> >> This sounds like a thing to discuss in a working group, assuming a > charter was accepted. > >> >> - how can the Verifier know that the application used by the individual >> is "appropriate", that the cryptographic keys are well protected and >> restricted >> to be used only by that application ? >> >> This sounds like a thing to discuss in a working group, assuming a > charter was accepted. > >> >> Denis >> >> Our company is interested in SPICE from the perspective that the N-party >> model is about independent entities that are all Issuers, Holders and >> Verifiers at times. >> >> To maximize usefulness and adoption, the "secure pattern(s)" should work >> for all types of entities, across all use cases, in highly heterogeneous >> environments, and throughout the life of each entity. >> >> If on a business trip, an employee of a rental car company lends me a >> digital key to unlock a specific car, there are 2 humans, 2 orgs, a car >> and, a door lock entity that are all expected to cryptographically enforce >> some verifiable business logic (likely attested software agents, that are >> entities themselves). The problem that needs solving is not about one >> credential, it's about enabling the long, complex, cryptographic >> chains/graphs that are necessary to make each credential truly useful. >> >> From that perspective, the north star is attack surface minimization. Our >> perspective is that SPICE should specify the minimalistic and most secure >> "how". The benefits of potential deviations should be evaluated against >> incremental attack surface and loss of interoperability. >> >> While this may not be how other WGs usually work, this WG works on behalf >> of the independent entities it intends to empower and secure. >> >> Manu >> >> On Fri, Dec 8, 2023 at 4:19 AM Warren Parad <wparad= >> 40rhosys.ch@dmarc.ietf.org> wrote: >> >>> I'm with Justin, I can't fathom why you would couple a WG to a format. >>> We know from building great software we should not constrain the *how* but >>> instead only the *what. *VC likely lives in SPICE, but that doesn't >>> mean anything about *how* such things should be implemented. Likewise, >>> if there is an OAuth-related need to extend to COSE or CBOR, I would expect >>> that the OAuth WG to pick it up, since it falls into the *What* of the >>> WG. >>> >>> Talking about spec formats doesn't make sense in any charter. >>> >>> - Warren >>> >>> On Fri, Dec 8, 2023 at 4:57 AM Justin Richer <jricher@mit.edu> wrote: >>> >>> All of the VC-related elements that are currently in OAuth quite frankly >>>> do not belong there, but there’s not currently a better place to put them. >>>> SPICE would be just such a better place, if it gets chartered as a WG. >>>> Intentionally limiting SPICE to only COSE just in response to OAuth is >>>> shortsighted and will not result in the best work that this group of people >>>> can accomplish. >>>> >>>> — Justin >>>> >>>> On Dec 7, 2023, at 4:50 PM, Orie Steele <orie@transmute.industries> >>>> <orie@transmute.industries> wrote: >>>> >>>> Hello, >>>> >>>> On the last SPICE proponents call, we discussed the follow up from the >>>> last IETF. >>>> >>>> OAuth has adopted "verifiable credentials" in JSON related work items, >>>> and unless something changes, we expect that trend to continue for JSON >>>> based claimsets, >>>> verifiable credential related extensions to OAuth defined data formats, >>>> like JWT, SD-JWT, >>>> Status Lists, VC-JWT-SD, and any future formats that might be used in >>>> access or identity tokens (BBS / JWP). >>>> >>>> On the SPICE calls we've seen no major interest in doing credential >>>> related work in JSON, >>>> while we have seen a lot of interest in doing digital credential work >>>> in CBOR. >>>> >>>> Now is your chance to argue that SPICE (in its first ever charter) can >>>> effectively support aligning JWT / CWT claimsets, >>>> and meaningfully address our intended charter deliverables, for which >>>> there is now an updated PR: >>>> >>>> https://github.com/transmute-industries/ietf-spice-charter/pull/15 >>>> >>>> and that OAuth should not handle the JSON part of the "3 party model", >>>> "verifiable credentials" and "JSON related digital identity formats". >>>> >>>> Unless we receive a strong response contradicting the assertions in the >>>> subject of this email, >>>> we plan to reduce the scope of SPICE to focus on CBOR. >>>> >>>> If SPICE forms, and things change in OAuth, perhaps a future SPICE >>>> charter might attempt alignment. >>>> >>>> We will gather feedback for 4 weeks, to account for the holidays, >>>> after which we will revise the draft charter to put JSON, JWT, SD-JWT >>>> and associated claims work out of scope. >>>> >>>> Regards, >>>> >>>> OS >>>> >>>> -- >>>> >>>> ORIE STEELE Chief Technology Officer www.transmute.industries >>>> <https://transmute.industries/> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> -- >>>> SPICE mailing list >>>> SPICE@ietf.org >>>> https://www.ietf.org/mailman/listinfo/spice >>>> >>> -- >>> SPICE mailing list >>> SPICE@ietf.org >>> https://www.ietf.org/mailman/listinfo/spice >>> >> >> >> > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries> > -- > SPICE mailing list > SPICE@ietf.org > https://www.ietf.org/mailman/listinfo/spice >
- [SPICE] SPICE will not support JSON, JWT or SD-JWT Orie Steele
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Justin Richer
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Warren Parad
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Manu Fontaine
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Denis
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Brent Zundel
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Dick Hardt
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Orie Steele
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Michael Prorock
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Tschofenig, Hannes
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Watson Ladd
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Tschofenig, Hannes
- Re: [SPICE] [OAUTH-WG] SPICE will not support JSO… Orie Steele