Re: [Txauth] New version of XYZ Draft

Dick Hardt <> Fri, 17 July 2020 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C0CC3A086B for <>; Fri, 17 Jul 2020 10:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JCtvX3XJalYz for <>; Fri, 17 Jul 2020 10:10:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 182093A0867 for <>; Fri, 17 Jul 2020 10:10:49 -0700 (PDT)
Received: by with SMTP id i19so1239087lfj.8 for <>; Fri, 17 Jul 2020 10:10:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SC5rabZNngC+b7QaUE4a1Jg59GsfpYSIwvUwC2Y66L4=; b=iCTsPnj0PLqoFEYSbVac4U8r7qioTQb1jzAoedOqSsvM7Fq5iKR1PAxCdmRuF8RA2/ 4Qc37xbzFmicU2cB3++Ncxi0pae6eZhSr2grIXMMnv3E2iwYvjysa5Lv6fJqX1pqp1Qu 5BIB88DfaHLrSnEirajW+0kG0i2Y5vFdQx5iuLtN+sWIDG22SWlyXaoLSREN9Ihww+LP h76bNLwcpRf2TAhx0SK+slRILFRmOal/WLpNdiyXp8fU+v8/L/JmBnj2KdwhkcWjgrp7 cF4GqLvlUCU8h5xanp/OG6R6AVl3ikpR5XR5dFeiP+ONh1tzfycst45CzbeFFUFn/iWK M8NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SC5rabZNngC+b7QaUE4a1Jg59GsfpYSIwvUwC2Y66L4=; b=koW/faDvGi/FgYC6CZmNJDR6t/7zMi6EXxDmg7tzdfQKPD9I5fX+sI9jdDAy/aMsKS EAoloSxmkzcLAOwG/wTXuzA0ODduXqo3O3IswIknxqvsnkIl+I4eFnmRXRgesa4n1w30 02VPwu4bhXJTQRQHJuw1R7jD+9RhIJdHAWSJrb10frAqVcKGxk6S1PQzd9OI+AZXxgR6 NhOR606Cm24EpOvbsW365jMCM4nQkOMs54H812rx2ElRnqX0N8MT56Fh8t3x/POWGn7b cJ3vFGv3h0gL/fUfiZLrV9x8bgPe9j8XfhLnYBxWrbqMTiiGD+ogJ/ywXvuyOTC9Gy3H 45CA==
X-Gm-Message-State: AOAM532F6iNQ2eUiPjM1v4/Fa7ayQTVgeR9ErUPjrN6rRs0AmwBM/ITf IK+upyYXJX4Md2l+WDCADnCXXpQ/YvEYD80x1uQ=
X-Google-Smtp-Source: ABdhPJz9NPa/k+dqgWXw+lAlmYn81vAWncd6fxbWaMix1FZP0OCBEehLb7EDbeJf0Rx9XLPnt4t6i+SzEbC5ZdVOgVk=
X-Received: by 2002:a19:64c:: with SMTP id 73mr5190067lfg.0.1595005847015; Fri, 17 Jul 2020 10:10:47 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Fri, 17 Jul 2020 10:10:10 -0700
Message-ID: <>
To: Justin Richer <>
Content-Type: multipart/alternative; boundary="000000000000ed19e105aaa63c10"
Archived-At: <>
Subject: Re: [Txauth] New version of XYZ Draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Jul 2020 17:10:51 -0000

Hey Justin,

Glad to see that you are aligning on having URIs for the access tokens and
the "grant".

While the token URI is unique to the token, you have not done the same for
a "grant", but have a handle and a non-unique URI.

Why not have a unique grant URI similar to the token URI? (a combination of
the handle and a non-unique URI) -- this is then both the identifier, and
the URL for "management"?

Glad to see you have excised the DID references. I don't think the common
use cases are well established there currently.

I have LOTS of feedback on your interaction changes, that I'll post later
on, and hope that others have feedback on those as well.


On Thu, Jul 16, 2020 at 2:52 PM Justin Richer <> wrote:

> Hi all,
> I’ve updated the XYZ draft specification. Since the publication tools are
> currently locked prior to the upcoming virtual meeting, I have published it
> online here:
> This represents a pretty significant refactoring of the specification,
> hopefully to make the concepts and capabilities easier to understand. The
> core protocol is largely the same as before, but there are a number of
> serious updates:
>  - Continuation requests happen at a URL returned in the TX response. The
> “handle” is still sent as one of the input values here, since the handle
> can also be used it other contexts.
>  - Tokens now can include the resources they are issued for
>  - Tokens can have an optional management URI for rotation and revocation.
>  - “claims” has been removed in favor of “subject” dealing directly with
> identifiers and assertions
>  - the “user” request and response now align with identifiers and
> assertions
>  - Extensions and registries are more clearly enumerated throughout the
> document
>  - DID-related items have been excised in deference to a future possible
> extension
>  - Added a “pushback” mechanism to complement the “callback” mechanism
>  - Simplified dynamic handle returns and access tokens based on developer
> feedback (basically we dropped a bunch of “what if” stuff that nobody used
> or liked, like SHA3 hashes for bearer tokens)
> I’ve also updated the interactive examples on to match
> this new draft. Hopefully it’s consistent with the draft text.
> I have not yet, however, updated any of the implementations of XYZ to take
> the elements of new syntax into account, so there might be some more
> changes prior to the IETF meeting as I realize what terrible mistakes I’ve
> made when doing that. :)
> Feedback, as always, is welcomed, and thanks to everyone who’s provided
> input to the project to date.
>  — Justin
> --
> Txauth mailing list