[Txauth] Getting Started
Justin Richer <jricher@mit.edu> Mon, 07 October 2019 21:40 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF3A1200DB for <txauth@ietfa.amsl.com>; Mon, 7 Oct 2019 14:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gNVQaRHn3LM for <txauth@ietfa.amsl.com>; Mon, 7 Oct 2019 14:40:10 -0700 (PDT)
Received: from outgoing-exchange-5.mit.edu (outgoing-exchange-5.mit.edu [18.9.28.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DDC1200A4 for <txauth@ietf.org>; Mon, 7 Oct 2019 14:40:07 -0700 (PDT)
Received: from oc11exedge1.exchange.mit.edu (OC11EXEDGE1.EXCHANGE.MIT.EDU [18.9.3.17]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id x97LekEo025119 for <txauth@ietf.org>; Mon, 7 Oct 2019 17:40:46 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11exedge1.exchange.mit.edu (18.9.3.17) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Mon, 7 Oct 2019 17:39:57 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11expo18.exchange.mit.edu (18.9.4.49) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 7 Oct 2019 17:40:04 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Mon, 7 Oct 2019 17:40:04 -0400
From: Justin Richer <jricher@mit.edu>
To: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: Getting Started
Thread-Index: AQHVfVfHtx7vW9m6JU+PvfCuTrmbyA==
Date: Mon, 07 Oct 2019 21:40:04 +0000
Message-ID: <38D8E0DA-2139-40D9-8BCD-876ACB987355@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: multipart/alternative; boundary="_000_38D8E0DA213940D98BCD876ACB987355mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1JSZb2tPIPV_rQx41MvGVzA3sG8>
Subject: [Txauth] Getting Started
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 21:40:13 -0000
Hi everyone, thanks for joining the TXAuth list. We’ve got a BoF proposed for Singapore, with a confirmed BoF chair and a couple confirmed presenters. With that, I wanted to take a few minutes to go over some things. 1) Why something new? I’ve presented about this very topic a few times [1][2], but the short of it is that the incredibly successful OAuth 2 protocol is reaching its edges. We’re doing things with it now that we never envisioned a decade ago, and we’re consistently seeing people wanting to use it for things that it can’t do, also. I’m arguing that we should really take a bit to step back from our assumptions and try to solve today’s problems in a clean and consistent manner, and that we’ll have a better solution for it. 2) Why isn’t this on the OAuth list? The things that we’re discussing in TXAuth are inspired by many things in OAuth and its ecosystem, but it’s clear that this is new work and not an extension to OAuth 2. What isn’t clear is exactly where this work is going to happen, and we wanted to separate the conversation about new stuff into its own space, at least for now. If we end up rechartering the OAuth WG to include this work, we’ll move the conversation back over there instead. 3) Is this just an effort to stamp “standard” on XYX? The XYZ project (https://oauth.xyz/) is my early attempt at building a protocol that combined the goals of a number of different aspects of the OAuth 2 ecosystem into a single protocol. I am going to submit XYZ as consideration for the starting document of whatever we end up working on. I really like the structure and patterns in XYZ, and believe there’s a lot we can learn from its design, but I have no illusions of this draft being the final product. 4) Is this the end of OAuth 2 (or OIDC or UMA or …)? Hardly. OAuth 2 does a job and handles it well, and I genuinely don’t think it’s going to disappear overnight. And there’s a lot of good work happening to bring OAuth into the modern world, particularly the combination of PAR/RAR/JAR. Even so, I think we can build something without the chains of backwards-compatibility that will be both simpler and more capable, and that’s what this list and related work is for. 5) Is this OAuth 3? Could be. Might be something else that’s either not OAuth or even not-authz-specific. That’s for a working group to decide — whether the OAuth WG (after a recharter) or a new WG (if it’s founded after the BoF). Thanks everyone, and I hope to see you in Singapore! — Justin
- [Txauth] Getting Started Justin Richer