IETF Logo Mail Archive

Re: [Txauth] Call for charter consensus - TxAuth WG

David Skaife <blue.ringed.octopus.guy@gmail.com> Sat, 07 March 2020 15:53 UTC

Return-Path: <blue.ringed.octopus.guy@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30ABD3A152A for <txauth@ietfa.amsl.com>; Sat, 7 Mar 2020 07:53:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGaXlbRHTzgl for <txauth@ietfa.amsl.com>; Sat, 7 Mar 2020 07:53:24 -0800 (PST)
Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 817703A1528 for <txauth@ietf.org>; Sat, 7 Mar 2020 07:53:23 -0800 (PST)
Received: by mail-ed1-x544.google.com with SMTP id g19so6363238eds.11 for <txauth@ietf.org>; Sat, 07 Mar 2020 07:53:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eFajJbtPZuz8CfAYWQH59gx1DmPezrorW0aj+arjI7Y=; b=l+tU+3EUOh/Egju/ONNNT29OIh+SVYKk2agEDyNdGtnePXfKZwdEOTJwTLFw3ElsiH La70PIJ+9LJA46EJNMk6yy968OL6TlhojOipgzo+2/SnylcPU219atHXl639z3DIpWxd g5UUD4pqXkFuq69XP/c3YvTuCVRrxBllUj01pR6TWE9BYfnrqw+B1uxH0GuYVwscx881 3Hegt3KPcWRE0bZpB8gA2VUioEVudD27oh0T2OwzI88Il9o7Xxlrat530TOcoTshlQt5 hIRnLWEsdik8F6Plh0+txQlWBG+cm6XNvxfTziPUB5mx6Y9Li22jOkK62PylYEv5iMex 2WYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eFajJbtPZuz8CfAYWQH59gx1DmPezrorW0aj+arjI7Y=; b=p28GOTOG6YECozzisN4E8qIhuxSbOupmsLFUPnEjnYJhKnQDi5JnKpWv8RvY7PLQ/z jLGh+vBMzGGCUn46DH8PBiM86u/i0F5TXb26M/6LAir9UWfHJncQL+dSOB99e+9rW1go pdgj+o/iaggN8o//qIqBZ9owBUbhZ0t8+4c0ASWGnR+c/4Fy4wnOUdX1nI23OUWivTuz xcc2mVV2+eLUwRteMe4hLiqzQe8nlVme/feFxc7DBHEFFZxkFhUb0Jk39jYJYDXKANow /qjx6WI4H3ppB5kWZ/y0Zc7duCPWDaEhIP3l+lV6dmNlE3IaK6qzJaGaQ8nS+MMqbVWn Ex5g==
X-Gm-Message-State: ANhLgQ3pO4EI0+nPSlzSvnZb/ni27vW7Y6iWmrh0Htr64I2rmIvgRhnD vCLR/qHBwpTEWd/TTzLmcAveXXaB7ZbnMrp3giO4CZ/pL2c=
X-Google-Smtp-Source: ADFU+vsVQHd4ruK9Zql2wa8IwNAISMLKu07DYZhD9X5S4GWIjeiiYvYZ9WxtdRdoWabT42dQhQlkIb5dQxa1PhZ7tnU=
X-Received: by 2002:a05:6402:b85:: with SMTP id cf5mr8601822edb.27.1583596401840; Sat, 07 Mar 2020 07:53:21 -0800 (PST)
MIME-Version: 1.0
References: <A01F5301-54DF-41D4-8ABE-8B070180F6FE@gmail.com> <970D54F0-E407-4578-A93E-F0EE589667F9@lodderstedt.net>
In-Reply-To: <970D54F0-E407-4578-A93E-F0EE589667F9@lodderstedt.net>
From: David Skaife <blue.ringed.octopus.guy@gmail.com>
Date: Sat, 07 Mar 2020 15:53:10 +0000
Message-ID: <CAKiOsZvT-Xy2UNRBOaaZ1=GWh3a0w+WEqxM-7kv3aC_ydbLUEA@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffd77605a045c451"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/gTQO684CYtxsqJkEnvGDuKndXF0>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 15:53:26 -0000
X-List-Received-Date: Sat, 07 Mar 2020 15:53:26 -0000

Hi,

I'm fairly new to this group (and the OAuth group) but I'm hoping to
participate and help here.

> 1.  Do you support the charter text provided at the end of this email?
Or do you have major objections, blocking concerns or feedback (if so
please elaborate)?

Yes. I share some of the same concerns that Torsten has highlighted, but
overall I'm happy with the charter text. I like that it explicitly states
that we're aiming to create a *protocol*, not a *framework *(like OAuth 2.0
was).

>
> 2.  Are you willing to author or participate in the development of the
drafts of this WG?

Yes, I will help as much as my time permits.

>
> 3.  Are you willing to help review the drafts of this WG?

Yes.

>
> 4.  Are you interested in implementing drafts of this WG?

Yes.


Many thanks,
David Skaife


On Sat, Mar 7, 2020 at 3:17 PM Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

> Hi,
>
> > Am 06.03.2020 um 17:45 schrieb Yaron Sheffer <yaronf.ietf@gmail.com>:
> >
> > Hi Everyone,
> >
> > It appears that momentum is forming around the proposed formation of a
> TxAuth working group.  We’d like to more formally gauge interest in
> proceeding with this work.  Please do so by responding to the following
> questions:
> >
> > 1.  Do you support the charter text provided at the end of this email?
> Or do you have major objections, blocking concerns or feedback (if so
> please elaborate)?
>
> I‘m in although I have to admit I‘m slightly concerned the scope of the
> charter is too broad, e.g. identify alone is a huge topic.
>
> We need to keep an eye on this aspect in order to make sure, the group is
> able to work effectively and the specs we will be producing are as simple
> as possible and foster interoperability.
>
> >
> > 2.  Are you willing to author or participate in the development of the
> drafts of this WG?
>
> yes
>
> >
> > 3.  Are you willing to help review the drafts of this WG?
>
> yes
>
> >
> > 4.  Are you interested in implementing drafts of this WG?
>
> yes
>
> best regards,
> Torsten.
>
> >
> > The call will run for two weeks, until March 21. If you think that the
> charter should be amended In a significant way, please reply on a separate
> thread.
> >
> > The feedback provided here will help the IESG come to a decision on the
> formation of a new WG. Given the constraints of the chartering process,
> regardless of the outcome of this consensus call, we will be meeting in
> Vancouver as a BoF.
> >
> > Thanks,
> > Yaron and Dick
> >
> > --- Charter Text Follows ---
> >
> > This group is chartered to develop a fine-grained delegation protocol
> for authorization, identity, and API access. This protocol will allow an
> authorizing party to delegate access to client software through an
> authorization server. It will expand upon the uses cases currently
> supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth
> 2.0) to support authorizations scoped as narrowly as a single transaction,
> provide a clear framework for interaction among all parties involved in the
> protocol flow, and remove unnecessary dependence on a browser or user-agent
> for coordinating interactions.
> >
> > The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will decouple the
> interaction channels, such as the end user’s browser, from the delegation
> channel, which happens directly between the client and the authorization
> server (in contrast with OAuth 2.0 which is initiated by the client
> redirecting the user’s browser). The client and AS will involve a user to
> make an authorization decision as necessary through interaction mechanisms
> indicated by the protocol. This decoupling avoids many of the security
> concerns and technical challenges of OAuth 2.0 and provides a non-invasive
> path for supporting future types of clients and interaction channels.
> >
> > Additionally, the delegation process will allow for:
> >
> > - Fine-grained specification of access
> > - Approval of AS attestation to identity claims
> > - Approval of access to multiple resources and APIs in a single
> interaction
> > - Separation between the party authorizing access and the party
> operating the client requesting access
> > - A variety of client applications, including Web, mobile, single-page,
> and interaction-constrained applications
> >
> > The group will define extension points for this protocol to allow for
> flexibility in areas including:
> >
> > - Cryptographic agility for keys, message signatures, and proof of
> possession
> > - User interaction mechanisms including web and non-web methods
> > - Mechanisms for conveying user, software, organization, and other
> pieces of information used in authorization decisions
> > - Mechanisms for presenting tokens to resource servers and binding
> resource requests to tokens and associated cryptographic keys
> > - Optimized inclusion of additional information through the delegation
> process (including identity)
> >
> > Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
> >
> > - Discovery of the authorization server
> > - Revocation of active tokens
> > - Query of token rights by resource servers
> >
> > Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group will
> attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new
> protocol where possible.
> >
> > This group is not chartered to develop extensions to OAuth 2.0, and as
> such will focus on new technological solutions not necessarily compatible
> with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be
> developed in the OAuth Working Group, including functionality back-ported
> from the protocol developed here to OAuth 2.0.
> >
> > The group is chartered to develop mechanisms for applying cryptographic
> methods, such as JOSE and COSE, to the delegation process. This group is
> not chartered to develop new cryptographic methods.
> >
> > The initial work will focus on using HTTP for communication between the
> client and the authorization server, taking advantage of optimization
> features of HTTP2 and HTTP3 where possible, and will strive to enable
> simple mapping to other protocols such as COAP when doing so does not
> conflict with the primary focus.
> >
> > Milestones to include:
> > - Core delegation protocol
> > - Key presentation mechanism bindings to the core protocol for TLS,
> detached HTTP signature, and embedded HTTP signatures
> > - Identity and authentication conveyance mechanisms
> > - Guidelines for use of protocol extension points
> >
> >
> > --
> > Txauth mailing list
> > Txauth@ietf.org
> > https://www.ietf.org/mailman/listinfo/txauth
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email