Re: [Txauth] Call for WG name preferences - process clarification

Dick Hardt <> Tue, 02 June 2020 21:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D4803A07E2 for <>; Tue, 2 Jun 2020 14:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KhSNol9M6Bn5 for <>; Tue, 2 Jun 2020 14:59:14 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F0733A07E0 for <>; Tue, 2 Jun 2020 14:59:14 -0700 (PDT)
Received: by with SMTP id o9so158599ljj.6 for <>; Tue, 02 Jun 2020 14:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xG7I+U6MpmWE3FW53nKKkci+kYEkBRcBJvp/k7suKTM=; b=dA2OSE1OfXxelE0E6FvTsExynZa1OQK8SUa5SdpCq3zg8PfYQiizHJrf1SkaHiDpK9 EvhYTRInRCBd1WJx4N24ZDnGEOO6b90nMUsN9uU6GlAjqI4NJyJRPDieNJ61uprQLHKA 7cu3WpeoiA71Ba194G2LplF5fBXA+pKAnSbGgTJKImnSG5HYoicWo0/pCJi+2otjPgbX LKOiqDnCWsPGJBx49MUyv1MKTkfeSOTgJgRAAdBhoyIjNRSU04mV9HC0Kz8eGwRbqVY1 jsho/BEv41wkLQBn082KB9MS8Z2S+YQkDRvXASGq+Sj9zFvMznWo4JB6BlqEzKOZE/WP /qtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xG7I+U6MpmWE3FW53nKKkci+kYEkBRcBJvp/k7suKTM=; b=iLlQ3GTt1084bT/zYDEknHjmGXiVFI4Cyh+gSs9mlrDJjXejTMU2QKaoRLHY85HBd/ ABLvWfXzNTe9Csl3NsGjWvfbSFmL/i5Uv+K8tt3qySMmNrjhCBqgYaFPwMCdHvEylbi2 kHLLvhifu6gWm3BJMR3+Iff9dqGr7S5LJxhPPI3KgrWwhFaQ1jFn767y2oShqw4oZ4BW 4s1HiYBo09yhtP9pfdvmEHf7ZvyF45FjlC8LJPFP/U7JS+ScM5STDQYyR27EuZzleQP5 lcRTGgSiwyX3zMEki9mpS8fT8VVp+vNXBBlNWXcfyu3dSVXhlACwyI7Ocf/Jlz/Y/Kl/ dlGg==
X-Gm-Message-State: AOAM532KijBr6mqF1lhZKnL21WQHUvr/thufQxJNJmi1a9teFYBAnu8H fDFWlmaAZo6/JmrvV8CiJt9qAeMrM1Lh3ZTWlTU=
X-Google-Smtp-Source: ABdhPJwNqMLkjHIv6ZUc6bH4SIhfl/Q2bodi6kRMwv6wYa3b71+w70ylGqTFWEOC5Zj7/ptkC9JuIR5jDypAqyBlzNY=
X-Received: by 2002:a2e:140a:: with SMTP id u10mr553734ljd.56.1591135152048; Tue, 02 Jun 2020 14:59:12 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Tue, 2 Jun 2020 14:58:46 -0700
Message-ID: <>
To: Justin Richer <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="00000000000087111805a7210513"
Archived-At: <>
Subject: Re: [Txauth] Call for WG name preferences - process clarification
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jun 2020 21:59:17 -0000

Hey Justin,

Per your comment "Extensibility is not a differentiating feature of this
work.", extensibility is explicitly called out in the charter (and is not
in the OAuth WG charter):

The group will define extension points for this protocol to allow for
flexibility in areas including:

- Cryptographic agility for keys, message signatures, and proof of
- User interaction mechanisms including web and non-web methods
- Mechanisms for conveying user, software, organization, and other pieces
of information used in authorization decisions
- Mechanisms for presenting tokens to resource servers and binding resource
requests to tokens and associated cryptographic keys
- Optimized inclusion of additional information through the delegation
process (including identifiers and identity assertions)

Milestones to include:
- Guidelines for use of protocol extension points


On Thu, May 28, 2020 at 2:47 PM Justin Richer <> wrote:

> Thanks to everyone in the community for suggesting names, and thanks to
> the chairs for putting this list together.
> Here’s my personal take on the candidates.
> *Wouldn’t Object:*
> * TxAuth      Transmission of Authority
> This is my personal favorite of the lot because it avoids the
> “authorization/authentication” question and gets at the heart of what this
> protocol does: delegation, which is to say, transmitting the authority to
> do something from one party to another. That delegation allows for
> authorized access to resources, but can also allow different rights to flow
> as needed. Additionally, “tx” has long been used to stand for
> “transmission” in computer science and networking.
> * AZARP    AuthoriZed Access to Resources Protocol
> The use of “AZ” to stand for “authorized” is awkward, but the
> pronunciation kinda works as something memorable. The expansion is a twist
> of words to make it fit, and I like that less.
> Resource access is only part of the story, but it’s an important part.
> This leaves out what we want to do around non-authorization cases (like
> identity conveyance).
> * AZARAP    AuthoriZation And Resource Access Protocol
> I like the expansion here more than the one for AZARP but I like the
> acronym less with the additional “A”.
> Same comment as above for AZ standing for Authorization.
> Same comment as above for resource access.
> * DAZARAP    Delegated AuthoriZation And Resource Access Protocol
> I like the expansion here, but the acronym is awkward and weak.
> Same comment as above for AZ standing for Authorized.
> Same comment as above for resource access.
> * GNAP    Grant Negotiation and Authorization Protocol
> This is ok, but it has a couple downsides. The pronunciation of a hard “g”
> or not is going to potentially be confusing, as is the fact that it looks
> like it’s part of the GNU project because of that.
> The term “Grant” is one of the more confusing things that was introduced
> in OAuth 2, and while it’s established in the lexicon today, I’ve yet to
> meet many engineering teams that actually know what a “grant” is. Most
> think it’s another name for the authorization code.
> Also it means “to bite”, which may or may not be desirable.
> * NIRAD    Negotiation of Intent Registration and Authority Delegation
> This is a somewhat weak construct, but it mostly works. It spells out more
> what the protocol will do (if we go with the currently proposed solution
> designs) than what it solves, but that might be ok.
> It makes me think of NORAD (a positive, they do weather radar and track
> Santa Claus each year), but also “nimrod”, a pejorative term. And before
> anyone chimes in with “But Nimrod was a mighty hunter of ancient times”, it
> doesn’t mean that to any modern listener.
> * GATAR      Grant Authorization To Access Resources
> This one isn’t bad, and I can appreciate the “guitar” pronunciation and
> imagery. As above, resource access isonly part of the story.
> Same comment about “Grant” as above in GNAP.
> *Object:*
> * AAuthZ    Alternative Authorization Protocol (AAuthZ)
> It’s an alternative to what, exactly? And what happens when someone makes
> an alternative to it?
> The focus on “Authorization” as a core part of the name tells only part of
> the story.
> Assuming the “Z” is pronounced as its letter name (which is implied by the
> capitalization), there’s an issue with pronouncing the final “Z” as either
> “Zee” or “Zed” depending on dialect. If it’s not pronounced as a letter,
> it’s really difficult to say the consonants “thz" together in a way that
> can be heard and understood.
> * BeBAuthZ    Back-end Based Authorization Protocol
> The definition of “back end” is going to change depending on your
> perspective in the stack, but even if it were consistent, the flexibility
> around user interaction is a huge motivator for many getting involved in
> this work.
> This is close to “BBAuth”, which was a commercial predecessor to OAuth 1,
> so much that it’s nearly impossible to disambiguate when talking.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * BYOAuthZ    Build-Your-Own Authorization Protocol
> This is the opposite of what we’re doing here. We don’t want a bunch of
> disparate pieces that people can use to build a protocol, we want a
> protocol with the right kind of flexibility to fit different use cases.
> This name tells developers that they aren’t getting a solution and
> incompatibility is likely.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * CPAAP    Comprehensive Privileged Authentication Authorization Protocol
> This makes me think of CPAP, a breathing assistance device. Not something
> I’m keen to call to mind in the middle of a global pandemic of a
> respiratory disease.
> The expansion doesn’t really tell me anything.
> What does “privileged” mean here, and does it apply to the authentication
> (which seems implied)?
> * DIYAuthZ    Do-It-Yourself Authorization Protocol
> As above in BYOAuthZ, this is the opposite of what we’re trying to do by
> creating a standard.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * GranPro    GRAnt Negotiation Protocol
> The acronym is a really awkward construction.
> As above, “grant” is an often misunderstood term from OAuth 2. Plus, the
> “grant” isn’t really what’s being negotiated here.
> * IDPAuthZ    Intent Driven Protocol for Authorization
> “IDP” is already well understood in this space to mean “identity
> provider”, so we should not try to overload it.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * PAuthZ    Protocol for Authorization
> It was suggested this would be pronounced “paws” but I can’t think of a
> single reason someone looking at the word would try to pronounce it that
> way.
> It’s also completely generic and doesn’t say anything about the work.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * RefAuthZ    Refactored Authorization Protocol
> Refactored from what? What if someone refactors this? What are the factors?
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * ReAuthZ    Reimagined Authorization Protocol
> The short form is already a short term for “re-authorization”, which is
> not what we are doing.
> Reimagined from what, and by whom?
> The expansion sounds like it’s imaginary and not real.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * TIAAP    Tokenized Identity and Access Protocol
> I don’t think “tokenized” is used in a meaningful way here. It produced
> “tokens”, but tokenization is the splitting up of an input into pieces,
> which is not what’s happening here.
> * TIDEAuth    Trust via Intent Driven Extension Auth
> The expansion is really awkward.
> It sounds like it’s an extension to an existing protocol (something that
> we are explicitly NOT doing per the charter).
> * TIDYAuth    Trust via Intent Driven Yield Auth
> I actually really like the acronym but the expansion is super awkward.
> What is being yielded here?
> * TIEAuth    Trust via Intent Extension Auth
> What is “intent extension”?
> As above, it sounds like an extension not a protocol.
> * TINOA   This Is Not OAuth
> This says nothing about what this work is, only what it isn’t. And on that
> regard, it doesn’t matter that this isn’t OAuth. OAuth 2 isn’t OAuth 1,
> either.
> And given that ease of transition from OAuth 2 is part of the charter,
> this isn’t a helpful distinction.
> * TXAuth    Testable eXtensible Authorization
> I don’t get the focus on “testable” in the name. Testable in what way? Can
> other protocols not be tested?
> Extensibility is not a differentiating feature of this work.
> * TXAuth      Truly eXtensible Authorization
> Extensibility is not a differentiating feature of this work.
> What makes something “truly extensible” as opposed to “not truly
> extensible”?
> * XAuthZ    eXtensible authoriZation protocol
> Extensibility is not a differentiating feature of this work.
> The acronym is just pulling random letters from the middle of words in the
> expansion to try to work.
> Same comment as above focus on Authorization.
> Same comment as above about Zed/Zee confusion.
> * WRAC     Web Resource Access Collaboration
> This is not a collaboration protocol or system. Collaboration, within
> computer science, is established to refer to when two or more :people: work
> and communicate together. This protocol does not facilitate human
> communication, and so the use of this term is not appropriate here.
> This is very close to “wrack” which is a common enough English verb, as in
> “wracked nerves” or “to wrack one’s brain”, which derives from the medieval
> torture process of stretching someone over a rack. This
> --
> Txauth mailing list