Re: [Txauth] alternative charter writeup
Dick Hardt <dick.hardt@gmail.com> Mon, 13 January 2020 17:53 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B50C120963 for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 09:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEI262s9nFdQ for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240C0120962 for <txauth@ietf.org>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id y19so7523361lfl.9 for <txauth@ietf.org>; Mon, 13 Jan 2020 09:53:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4YFQ0cQaSphpVQmm3ZaeD5zzq/jTQAMoNdCZPzwsL/w=; b=eX/fRBvxcpvzJPW7YrfFglSX3rKNvJk1Anb6zB/72UjNWQmMcLmohhwBJVZaJ8yzp8 QG/2c662EoEXh+YHYjw0O6ar/zdknDSZJcaYgm9lk1ESbd6dVnpC3ASR3ngA1e2mpW8D jpfGWU4tMfiuxnC7NvKoOi3D+7zXMcFJj0S4ns5UZ7nIyXD6GbKqbexL8ImKNXaiIhwn K7OOXpBNv/SxM9FL5/Ap8W0eLxAcnCOIoSSeUBUAGwnB7cgmu4LjKRHrfxAF6Sl8/3Y3 +UpannxMoLzIbBW+IU4fyyzxikD0cBO4wS/gLZV3vhwSLrjv+dGFlcR7B2sqh7kSSO9+ Rccw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4YFQ0cQaSphpVQmm3ZaeD5zzq/jTQAMoNdCZPzwsL/w=; b=ne4fVkAPJPhwh9G0OUeLIYkpSkcPIlpkd8+AHfPA13tjz8vtloF9jiesm1Doj3eQZS Q+vOK9mkzYzEkh815wtP342qRzQ5DQ8dFPe+fJly267QjDsZnPM1LHv8wlNqv1A2kbZO ldGzMvT7ZCNN1a9TDiC29/Qw7rzYaH7hUZ69Rxpi7mfRfAD1SBjQvK2IPI4pkjnj8gzc fzTPW1LapYrVK1T8WU8AJfPCZM/x2H1M75vWvK5Zv5K4Wdaf3HJY0MT3haQR0ZUFIrm/ msn9oF5+x+fxdRgFlZmrROIVfbelaLG3e7d/JM25SeEFIS7jJYiYT/H90+YcuI4UPGF7 uuHQ==
X-Gm-Message-State: APjAAAXKp9J3FhoMnylatucoItIfrP+lluDs+kdRdPT4SK4znQjfeJfH nItv73GGOBQ9d0er40j88JdcuNryuNsZNwlyM5I=
X-Google-Smtp-Source: APXvYqzHMMabIp/bDzJRWoRgTM/sGid44DpHcsD0aDRghoXjnOiywAwdtRS5I8wRyBWS5GRNMIueIWoo8LWXVrE/CwI=
X-Received: by 2002:a19:cb54:: with SMTP id b81mr10315068lfg.188.1578937991250; Mon, 13 Jan 2020 09:53:11 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <CA+eFz_JTNJG=Lav8dxzq4c8565QDG=uqAPsnL1rfqTVN-WoLQQ@mail.gmail.com> <8735c94a16d64c008e650347de113e55@CHRP5009.corp.gwpnet.com> <1DFB3EDF-29BD-41F2-B9A9-5F602C772173@mit.edu>
In-Reply-To: <1DFB3EDF-29BD-41F2-B9A9-5F602C772173@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jan 2020 09:53:00 -0800
Message-ID: <CAD9ie-uhfnYrSwyNq2AsP1kcephv9+ATHKGyUiW6VH9RqPV4oQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Adrian Hope-Bailie <adrian@hopebailie.com>, Lee McGovern <Lee_McGovern@swissre.com>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017489a059c092638"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/dpibr1W1O58tUztbONInLkLBkNE>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 17:53:16 -0000
UX constrained devices? On Mon, Jan 13, 2020 at 9:30 AM Justin Richer <jricher@mit.edu> wrote: > I think it should be I struggled on how to capture that. The key element > here is that there’s one device doing the request and another doing the > interaction. This pattern is also used in CIBA and some UMA style flows, so > it’s not just about the nature of the client but also about the nature of > the users involved. > > So for now that’s firmly in “and other” but I’m open to suggestion! > > > — Justin > > On Jan 13, 2020, at 2:59 AM, Lee McGovern <Lee_McGovern@swissre.com> > wrote: > > "Web, mobile, single-page, and other types of client applications" > > Should device (as in device flow) be explicitly mentioned here? > > *From:* Adrian Hope-Bailie <adrian@hopebailie.com> > *Sent:* Samstag, 11. Januar 2020 08:11 > *To:* Dick Hardt <dick.hardt@gmail.com> > *Cc:* Justin Richer <jricher@mit.edu>; txauth@ietf.org > *Subject:* Re: [Txauth] alternative charter writeup > > +1 > > On Sat, Jan 11, 2020 at 04:56 Dick Hardt <dick.hardt@gmail.com> wrote: > > This looks even better! Thanks Justin. > > What do others think of the proposed charter now? > ᐧ > > On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote: > > Thanks, Dick. I’ve been working on an updated charter based on everyone’s > feedback, and I was aiming to have out today anyway, so this timing is > helpful. So here’s my take on a new charter, incorporating some of your > points below: > > > This group is chartered to develop a delegation protocol for identity, > authorization, and API access. This protocol will allow an authorizing > party to delegate access to client software through an authorization > server. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0 and OpenID Connect. > > The delegation process will be acted upon by multiple parties in the > protocol, each performing a specific role. The protocol will be initiated > by the client interacting directly with the authorization server (in > contrast with OAuth 2 which is initiated by the client redirecting the > user’s browser). The client will involve the authorizing party as necessary > through interaction mechanisms indicated by the protocol. > > Additionally, the delegation process will allow for: > > - Fine-grained specification of resource access > - Approval of identity claims and multiple resources in a single > interaction > - Delegation between multiple users > - Web, mobile, single-page, and other types of client applications > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > - Cryptographic agility for keys, message signatures, and proof of > possession > - User interaction mechanisms including web and non-web methods > - Mechanisms for providing user, software, organization, and other pieces > of information used in authorization decisions > - Token presentation mechanisms and key bindings > > Additionally, the group will provide mechanisms for management of the > protocol lifecycle including: > > - Discovery of the authorization server > - Revocation of active tokens > - Query of token rights by resource servers > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, the group > will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the > new protocol where possible. > > While the initial work will focus on using HTTP for communication between > the client and the authorization server, the working group will seek to > take advantage of optimization features of HTTP2 and HTTP3, and will strive > to enable simple mapping to other protocols such as COAP. > > > On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > > Hey > > I've written an alternative charter that I hope captures some of the > feedback on Justin's charter. > > I found it easier to rewrite the charter to broaden the marketplace of > ideas. > > Key ideas: > > - This work supports existing OAuth 2.0, and OpenID Connect use cases. > > - The client interacts directly with the authorization server. > > /Dick > > > ---- > > This group is chartered to develop a delegated identity and authorization > protocol.. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In > contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated > by redirecting the user's browser to an authorization server, this protocol > will be initiated by the client directly interacting with the authorization > server.. > > > Additionally, the protocol will allow: > - fine-grained specification of resource access > - the user to approve requests for identity claims and access to multiple > resources in one interaction > - web, mobile, single-page, and other client applications > - taking advantage of optimization features in HTTP2 and HTTP3 > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > - discovery of the authorization server > - cryptographic agility for keys, message signatures, and proof of > possession > - user interaction mechanisms including web and non-web methods- token > presentation mechanisms and key bindings > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to > simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse > existing semantics such as client identifiers, OAuth 2.0 scopes and access > tokens, and OpenID Connect ID Tokens and claims. > > While the initial work will focus on using HTTP for communication between > the client and the authorization server, the working group will strive to > enable simple mapping to other protocols such as COAP. > > > ᐧ > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > -- > Sent from a mobile device, please excuse any typos > > This e-mail, including attachments, is intended for the person(s) or > company named and may contain confidential and/or legally privileged > information. > Unauthorized disclosure, copying or use of this information may be > unlawful and is prohibited. If you are not the intended recipient, please > delete this message and notify the sender. > All incoming and outgoing e-mail messages are stored in the Swiss Re > Electronic Message Repository. > If you do not wish the retention of potentially private e-mails by Swiss > Re, we strongly advise you not to use the Swiss Re e-mail account for any > private, non-business related communications. -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Adrian Hope-Bailie
- Re: [Txauth] alternative charter writeup Yaron Sheffer
- Re: [Txauth] alternative charter writeup Lee McGovern
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Torsten Lodderstedt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer