IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Dick Hardt <dick.hardt@gmail.com> Mon, 13 January 2020 17:53 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B50C120963 for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 09:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEI262s9nFdQ for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240C0120962 for <txauth@ietf.org>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id y19so7523361lfl.9 for <txauth@ietf.org>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4YFQ0cQaSphpVQmm3ZaeD5zzq/jTQAMoNdCZPzwsL/w=; b=eX/fRBvxcpvzJPW7YrfFglSX3rKNvJk1Anb6zB/72UjNWQmMcLmohhwBJVZaJ8yzp8 QG/2c662EoEXh+YHYjw0O6ar/zdknDSZJcaYgm9lk1ESbd6dVnpC3ASR3ngA1e2mpW8D jpfGWU4tMfiuxnC7NvKoOi3D+7zXMcFJj0S4ns5UZ7nIyXD6GbKqbexL8ImKNXaiIhwn K7OOXpBNv/SxM9FL5/Ap8W0eLxAcnCOIoSSeUBUAGwnB7cgmu4LjKRHrfxAF6Sl8/3Y3 +UpannxMoLzIbBW+IU4fyyzxikD0cBO4wS/gLZV3vhwSLrjv+dGFlcR7B2sqh7kSSO9+ Rccw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4YFQ0cQaSphpVQmm3ZaeD5zzq/jTQAMoNdCZPzwsL/w=; b=ne4fVkAPJPhwh9G0OUeLIYkpSkcPIlpkd8+AHfPA13tjz8vtloF9jiesm1Doj3eQZS Q+vOK9mkzYzEkh815wtP342qRzQ5DQ8dFPe+fJly267QjDsZnPM1LHv8wlNqv1A2kbZO ldGzMvT7ZCNN1a9TDiC29/Qw7rzYaH7hUZ69Rxpi7mfRfAD1SBjQvK2IPI4pkjnj8gzc fzTPW1LapYrVK1T8WU8AJfPCZM/x2H1M75vWvK5Zv5K4Wdaf3HJY0MT3haQR0ZUFIrm/ msn9oF5+x+fxdRgFlZmrROIVfbelaLG3e7d/JM25SeEFIS7jJYiYT/H90+YcuI4UPGF7 uuHQ==
X-Gm-Message-State: APjAAAXKp9J3FhoMnylatucoItIfrP+lluDs+kdRdPT4SK4znQjfeJfH nItv73GGOBQ9d0er40j88JdcuNryuNsZNwlyM5I=
X-Google-Smtp-Source: APXvYqzHMMabIp/bDzJRWoRgTM/sGid44DpHcsD0aDRghoXjnOiywAwdtRS5I8wRyBWS5GRNMIueIWoo8LWXVrE/CwI=
X-Received: by 2002:a19:cb54:: with SMTP id b81mr10315068lfg.188.1578937991250; Mon, 13 Jan 2020 09:53:11 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <CA+eFz_JTNJG=Lav8dxzq4c8565QDG=uqAPsnL1rfqTVN-WoLQQ@mail.gmail.com> <8735c94a16d64c008e650347de113e55@CHRP5009.corp.gwpnet.com> <1DFB3EDF-29BD-41F2-B9A9-5F602C772173@mit.edu>
In-Reply-To: <1DFB3EDF-29BD-41F2-B9A9-5F602C772173@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jan 2020 09:53:00 -0800
Message-ID: <CAD9ie-uhfnYrSwyNq2AsP1kcephv9+ATHKGyUiW6VH9RqPV4oQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, Lee McGovern <Lee_McGovern@swissre.com>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017489a059c092638"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/dpibr1W1O58tUztbONInLkLBkNE>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 17:53:16 -0000

UX constrained devices?

On Mon, Jan 13, 2020 at 9:30 AM Justin Richer <jricher@mit.edu> wrote:

> I think it should be I struggled on how to capture that. The key element
> here is that there’s one device doing the request and another doing the
> interaction. This pattern is also used in CIBA and some UMA style flows, so
> it’s not just about the nature of the client but also about the nature of
> the users involved.
>
> So for now that’s firmly in “and other” but I’m open to suggestion!
>
>
>  — Justin
>
> On Jan 13, 2020, at 2:59 AM, Lee McGovern <Lee_McGovern@swissre.com>
> wrote:
>
> "Web, mobile, single-page, and other types of client applications"
>
> Should device (as in device flow) be explicitly mentioned here?
>
> *From:* Adrian Hope-Bailie <adrian@hopebailie.com>
> *Sent:* Samstag, 11. Januar 2020 08:11
> *To:* Dick Hardt <dick.hardt@gmail.com>
> *Cc:* Justin Richer <jricher@mit.edu>; txauth@ietf.org
> *Subject:* Re: [Txauth] alternative charter writeup
>
> +1
>
> On Sat, Jan 11, 2020 at 04:56 Dick Hardt <dick.hardt@gmail.com> wrote:
>
> This looks even better! Thanks Justin.
>
> What do others think of the proposed charter now?
> ᐧ
>
> On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote:
>
> Thanks, Dick. I’ve been working on an updated charter based on everyone’s
> feedback, and I was aiming to have out today anyway, so this timing is
> helpful. So here’s my take on a new charter, incorporating some of your
> points below:
>
>
> This group is chartered to develop a delegation protocol for identity,
> authorization, and API access. This protocol will allow an authorizing
> party to delegate access to client software through an authorization
> server. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0 and OpenID Connect.
>
> The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will be initiated
> by the client interacting directly with the authorization server (in
> contrast with OAuth 2 which is initiated by the client redirecting the
> user’s browser). The client will involve the authorizing party as necessary
> through interaction mechanisms indicated by the protocol.
>
> Additionally, the delegation process will allow for:
>
> - Fine-grained specification of resource access
> - Approval of identity claims and multiple resources in a single
> interaction
> - Delegation between multiple users
> - Web, mobile, single-page, and other types of client applications
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
> - Cryptographic agility for keys, message signatures, and proof of
> possession
> - User interaction mechanisms including web and non-web methods
> - Mechanisms for providing user, software, organization, and other pieces
> of information used in authorization decisions
> - Token presentation mechanisms and key bindings
>
> Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
>
> - Discovery of the authorization server
> - Revocation of active tokens
> - Query of token rights by resource servers
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group
> will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the
> new protocol where possible.
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will seek to
> take advantage of optimization features of HTTP2 and HTTP3, and will strive
> to enable simple mapping to other protocols such as COAP.
>
>
> On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>
> Hey
>
> I've written an alternative charter that I hope captures some of the
> feedback on Justin's charter.
>
> I found it easier to rewrite the charter to broaden the marketplace of
> ideas.
>
> Key ideas:
>
> - This work supports existing OAuth 2.0, and OpenID Connect use cases.
>
> - The client interacts directly with the authorization server.
>
> /Dick
>
>
> ----
>
> This group is chartered to develop a delegated identity and authorization
> protocol.. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In
> contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated
> by redirecting the user's browser to an authorization server, this protocol
> will be initiated by the client directly interacting with the authorization
> server..
>
>
> Additionally, the protocol will allow:
> - fine-grained specification of resource access
> - the user to approve requests for identity claims and access to multiple
> resources in one interaction
> - web, mobile, single-page, and other client applications
> - taking advantage of optimization features in HTTP2 and HTTP3
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
> - discovery of the authorization server
> - cryptographic agility for keys, message signatures, and proof of
> possession
> - user interaction mechanisms including web and non-web methods- token
> presentation mechanisms and key bindings
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to
> simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse
> existing semantics such as client identifiers, OAuth 2.0 scopes and access
> tokens, and OpenID Connect ID Tokens and claims.
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will strive to
> enable simple mapping to other protocols such as COAP.
>
>
> ᐧ
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
> --
> Sent from a mobile device, please excuse any typos
>
> This e-mail, including attachments, is intended for the person(s) or
> company named and may contain confidential and/or legally privileged
> information.
> Unauthorized disclosure, copying or use of this information may be
> unlawful and is prohibited. If you are not the intended recipient, please
> delete this message and notify the sender.
> All incoming and outgoing e-mail messages are stored in the Swiss Re
> Electronic Message Repository.
> If you do not wish the retention of potentially private e-mails by Swiss
> Re, we strongly advise you not to use the Swiss Re e-mail account for any
> private, non-business related communications. --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email