Re: [Txauth] Call for charter consensus - TxAuth WG
Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 19 March 2020 17:35 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E162E3A0BD1 for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 10:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id quawNlRwR6Zi for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 10:35:12 -0700 (PDT)
Received: from p3plsmtpa09-06.prod.phx3.secureserver.net (p3plsmtpa09-06.prod.phx3.secureserver.net [173.201.193.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 374AA3A0BB2 for <txauth@ietf.org>; Thu, 19 Mar 2020 10:35:11 -0700 (PDT)
Received: from [192.168.88.241] ([94.155.17.54]) by :SMTPAUTH: with ESMTPSA id Ez4YjBguscbP9Ez4YjRepL; Thu, 19 Mar 2020 10:35:11 -0700
X-CMAE-Analysis: v=2.3 cv=NcGYKFL4 c=1 sm=1 tr=0 a=FNQ4XmqxRr20pcroDK0mpg==:117 a=FNQ4XmqxRr20pcroDK0mpg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=q0rX5H01Qin5IyBaTmIA:9 a=LZs3M66Qduh0QFinj3oA:9 a=QEXdDO2ut3YA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: txauth@ietf.org
References: <MN2PR00MB0686B5459E642FE6E65686F7F5F60@MN2PR00MB0686.namprd00.prod.outlook.com> <CAGBSGjoMWjRE3zSsngwwpmzQ5D6JM29cHGj3A4ey7Q7gNvcHrQ@mail.gmail.com> <D2B641E1-131B-4E4B-83A6-214E223C3094@mit.edu> <CAKiOsZtV4oMC7QiDC1s20koc2f0Sjd8MzMEsWRf+KVsDN-8iKA@mail.gmail.com> <2D372D08-804D-4EF6-8C36-540CCA90244B@mit.edu> <44E06611-E67E-4ABA-B410-36D40FACF8B1@lodderstedt.net> <2F0CE6F6-DD9E-4DD4-99A0-E6CD78421D2B@mit.edu> <255028E2-8B99-438F-80DB-434B000114B1@lodderstedt.net> <A101613B-AB87-4335-8D82-57F996DC0DC2@mit.edu> <0CD3C061-D85F-45AC-898E-633682CF4C77@lodderstedt.net>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <c56ae52d-e858-8a21-ea2e-32f799d20e18@connect2id.com>
Date: Thu, 19 Mar 2020 19:35:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <0CD3C061-D85F-45AC-898E-633682CF4C77@lodderstedt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050302090608090704080401"
X-CMAE-Envelope: MS4wfFOBqfnLkFS56ahJfpSrovJ2a0uuZAnR7NjCnaaF8Em575w0AK3eRKc3DzIbsVKtITWiuMipL0LPHpWJDtyDrVK+KBB/zne4m4Vd0C6zI87qyIurkS0+ 2rvOEw0nV0ovKAz+7ca5cLnNEkLSrJaXjPeTr5fBvJqB6TQ7bpP1iuEu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VgWF2M1UzcKDarc4mlW3YPz9wDY>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 17:35:14 -0000
On 19/03/2020 19:11, Torsten Lodderstedt wrote: > On 19. Mar 2020, at 17:47, Justin Richer <jricher@mit.edu> wrote: >> Well, it’s in scope as much as describing any other aspect of what the token is for and what it represents is in scope. That is alongside things like the intended audience of the token, the access rights for the token, the presentation keys the token is bound to, etc. It could be information in the token text itself (like a JWT), it could be introspected from the AS, it could be referenced in some other way. So if we can define identity aspects in that, then we’re fine in covering it there. >> >> But here’s the thing: none of that has an impact on the core protocol. That is entirely up to the AS and the RS to agree on, and the client never sees or has any influence on it. That portion of the protocol is completely opaque to the client. Therefore, it doesn’t really affect the authorization and delegation portions of the client talking to the AS and the client talking to the RS. >> >> This does raise the question of what our bar of interoperability is going to be with TxAuth: do we expect independent AS and RS implementations to talk to each other? That’s not something OAuth 2 was ever concerned with, though obviously JWT and introspection are both from the OAuth2 WG and solve that problem. > There are two aspects to it: interoperability and vendor support. > > Interoperability between AS and RS is important if deployments want to combine pre-packaged TXAuth and API implementations. I think that makes a lot of sense and should be included in the charter. +1 The current OAuth 2.0 status quo of the largely unspecified relationship between AS and RS is also making the life of web & sec framework maintainers difficult. We witnessing this with people integrating the OAuth SDK into frameworks. Vittorio's recent work to put together a minimal interoperable JWT profile for access tokens is helpful, but it has come after the fact. And there is not agreement on things like authorising access to claims. Integrating apps (RSs) with TxAuth should be straightforward and simple. This can have a enormous effect on adoption. > Vendors support: vendor support when it comes to "what can go into an access token" and "what can be conveyed in a token introspection response” greatly deviates in my observation. This also means implementation use vendors specific features restricting their ability to use other solutions. TXAuth should aim at improving the situation. +1 > I also think it is a good exercise for the group to think the whole process "from the end”. The purpose of TXAuth (and OAuth) is not to provide clients with access tokens. The purpose is to enable API request processing in a secure manner. What it really takes to achieve that goal is not obvious if the work always stops at the “you have your access token, good luck” stage. +1 Vladimir
- [Txauth] Call for charter consensus - TxAuth WG Yaron Sheffer
- Re: [Txauth] Call for charter consensus - TxAuth … Aaron Parecki
- Re: [Txauth] Call for charter consensus - TxAuth … Aleksei Petrov
- Re: [Txauth] Call for charter consensus - TxAuth … Amanjeev Sethi
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Leif Johansson
- Re: [Txauth] Call for charter consensus - TxAuth … Florian Biesinger
- Re: [Txauth] Call for charter consensus - TxAuth … Lee McGovern
- Re: [Txauth] Call for charter consensus - TxAuth … Daniel DeGroff
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Sudipta Pal
- Re: [Txauth] Call for charter consensus - TxAuth … Dmitri Zagidulin
- Re: [Txauth] Call for charter consensus - TxAuth … Fabien Imbault
- Re: [Txauth] Call for charter consensus - TxAuth … Matthew De Haast
- Re: [Txauth] Call for charter consensus - TxAuth … Fabien Imbault
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Stephen Moore
- Re: [Txauth] Call for charter consensus - TxAuth … Tobias Looker
- Re: [Txauth] Call for charter consensus - TxAuth … Richard Backman, Annabelle
- Re: [Txauth] [EXTERNAL] Re: Call for charter cons… Mike Jones
- Re: [Txauth] [EXTERNAL] Re: Call for charter cons… Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Aaron Parecki
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Vladimir Dzhuvinov
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Nat Sakimura
- Re: [Txauth] Call for charter consensus - TxAuth … Vittorio Bertocci
- Re: [Txauth] Call for charter consensus - TxAuth … Vijay IETF
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Kim
- Re: [Txauth] Call for charter consensus - TxAuth … Brian Campbell
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Nat Sakimura
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer