[Txauth] New version of XYZ Draft

Justin Richer <jricher@mit.edu> Thu, 16 July 2020 21:52 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691833A0D50 for <txauth@ietfa.amsl.com>; Thu, 16 Jul 2020 14:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level:
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SLJX56oa9FAq for <txauth@ietfa.amsl.com>; Thu, 16 Jul 2020 14:52:48 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B7263A0D4C for <txauth@ietf.org>; Thu, 16 Jul 2020 14:52:47 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06GLqkEn009442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <txauth@ietf.org>; Thu, 16 Jul 2020 17:52:46 -0400
From: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0D99A97F-CBC9-4EAB-8158-4A9B3B969993"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <A5C2F2EE-277B-4DE5-8839-C804CCD64A59@mit.edu>
Date: Thu, 16 Jul 2020 17:52:46 -0400
To: txauth@ietf.org
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/NcOVfTkjEINMbknbllp8Lu_y69I>
Subject: [Txauth] New version of XYZ Draft
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2020 21:52:49 -0000

Hi all,

I’ve updated the XYZ draft specification. Since the publication tools are currently locked prior to the upcoming virtual meeting, I have published it online here:

https://oauth.xyz/draft-richer-transactional-authz <https://oauth.xyz/draft-richer-transactional-authz>

This represents a pretty significant refactoring of the specification, hopefully to make the concepts and capabilities easier to understand. The core protocol is largely the same as before, but there are a number of serious updates:

 - Continuation requests happen at a URL returned in the TX response. The “handle” is still sent as one of the input values here, since the handle can also be used it other contexts.
 - Tokens now can include the resources they are issued for
 - Tokens can have an optional management URI for rotation and revocation.
 - “claims” has been removed in favor of “subject” dealing directly with identifiers and assertions
 - the “user” request and response now align with identifiers and assertions
 - Extensions and registries are more clearly enumerated throughout the document
 - DID-related items have been excised in deference to a future possible extension
 - Added a “pushback” mechanism to complement the “callback” mechanism
 - Simplified dynamic handle returns and access tokens based on developer feedback (basically we dropped a bunch of “what if” stuff that nobody used or liked, like SHA3 hashes for bearer tokens)

I’ve also updated the interactive examples on https://oauth.xyz/ <https://oauth.xyz/> to match this new draft. Hopefully it’s consistent with the draft text.

I have not yet, however, updated any of the implementations of XYZ to take the elements of new syntax into account, so there might be some more changes prior to the IETF meeting as I realize what terrible mistakes I’ve made when doing that. :) 

Feedback, as always, is welcomed, and thanks to everyone who’s provided input to the project to date. 

 — Justin