IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 11 January 2020 21:08 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7D712004E for <txauth@ietfa.amsl.com>; Sat, 11 Jan 2020 13:08:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.144
X-Spam-Level:
X-Spam-Status: No, score=-1.144 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=0.852, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjNUWbEZDo0E for <txauth@ietfa.amsl.com>; Sat, 11 Jan 2020 13:08:19 -0800 (PST)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3F4C12001A for <txauth@ietf.org>; Sat, 11 Jan 2020 13:08:18 -0800 (PST)
Received: by mail-wm1-x32a.google.com with SMTP id p9so5544238wmc.2 for <txauth@ietf.org>; Sat, 11 Jan 2020 13:08:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=zWrUt9WJAeLJEJv5ZDTnEHIRkmxS1Lw4VkC7OV1ukyc=; b=LqOn+4m4fLLCDd4yaL7WfH3likvFZN1qrEH9z6C4djT4D669Cgp1EAuqYhfMWnjvHu 4suM+ib/VqcAblug3VSe3HQgSndhF7EwfoJyS+U9UhuLyrWUcWdzSydCtq18bq42QuGk yEjlm9+qTufL0iBPsOjEAEyxxPgG+T4OxO3uDl1VKfq0JG//Ye4f1B+aYI9S6uoyGjCs k2QxsSOs5FNGtJhfQCjZcekpCGbGzl5P1te6sS1/ZG1P6px/lbqLy4MdPepaRLQSppjC /t96Cgh7oE6ZSqFG4O8iJZKoFqSZ2+tJdA2BABp1loXurzwvjejHAV0IWC+YfBMA/sJJ +Kgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=zWrUt9WJAeLJEJv5ZDTnEHIRkmxS1Lw4VkC7OV1ukyc=; b=dH9ExF5X9s5q02oMFPx0avc1xyPkDcVBF+BPm2ct6g26PKNjrse8PD3lG6VcFVdVO8 Jm3jU8SF14UYoMNpxJFtJFgrdPt+WiQPEN7whLbV9ch8Gt3LZF8rn7a60eq8avbpaRhl 1lnFdmNOV5fGb2F+Rfyh5/h1AizUXPeZYTVxpq07W6WRHxIHvJq46FmCQnVZw6Epo9CH Ge251uDqcsavEsE28u3oPbbptL1yDOVIRmwg/JHe2Xwyt7QgoXy75GvukjaBwKlpukxS NbxaApUPvt/JXp/DLj2tArsLpakaWmbiJTCkZEIw88DdixI9MKP16TJcvR0u7pFwnSYv 2/5w==
X-Gm-Message-State: APjAAAUIffbBpheh/5szu7EXVJAZa9cvymuVxBQQUi/NTdHnnOa6GtOE qoAC8nHK2TjhntAD63Kbo+c=
X-Google-Smtp-Source: APXvYqw/zSbk3LreYKAuVX0o+HKbBU0/C9OEtTRdayDf+if3MoYrmyenrZmHCMXgiIZdlaW/BTrM4Q==
X-Received: by 2002:a1c:dc85:: with SMTP id t127mr11503621wmg.16.1578776896963; Sat, 11 Jan 2020 13:08:16 -0800 (PST)
Received: from [10.0.0.144] (bzq-79-180-23-198.red.bezeqint.net. [79.180.23.198]) by smtp.gmail.com with ESMTPSA id q14sm7906611wmj.14.2020.01.11.13.08.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Jan 2020 13:08:16 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.20.0.191208
Date: Sat, 11 Jan 2020 23:08:15 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Adrian Hope-Bailie <adrian@hopebailie.com>, Dick Hardt <dick.hardt@gmail.com>
CC: txauth@ietf.org, Justin Richer <jricher@mit.edu>
Message-ID: <734FDFDE-59C4-41CA-AFE0-3F8204B24C8F@gmail.com>
Thread-Topic: [Txauth] alternative charter writeup
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <CA+eFz_JTNJG=Lav8dxzq4c8565QDG=uqAPsnL1rfqTVN-WoLQQ@mail.gmail.com>
In-Reply-To: <CA+eFz_JTNJG=Lav8dxzq4c8565QDG=uqAPsnL1rfqTVN-WoLQQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3661628895_183676716"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/wXxyaexluGL7Al29Aq0FDDSPq3w>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2020 21:08:21 -0000

Same here.

 

From: Txauth <txauth-bounces@ietf.org> on behalf of Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Saturday, January 11, 2020 at 09:11
To: Dick Hardt <dick.hardt@gmail.com>
Cc: <txauth@ietf.org>, Justin Richer <jricher@mit.edu>
Subject: Re: [Txauth] alternative charter writeup

 

+1

 

On Sat, Jan 11, 2020 at 04:56 Dick Hardt <dick.hardt@gmail.com> wrote:

This looks even better! Thanks Justin.

 

What do others think of the proposed charter now? 

ᐧ

 

On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote:

Thanks, Dick. I’ve been working on an updated charter based on everyone’s feedback, and I was aiming to have out today anyway, so this timing is helpful. So here’s my take on a new charter, incorporating some of your points below:

 

This group is chartered to develop a delegation protocol for identity, authorization, and API access. This protocol will allow an authorizing party to delegate access to client software through an authorization server. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect. 

 

The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will be initiated by the client interacting directly with the authorization server (in contrast with OAuth 2 which is initiated by the client redirecting the user’s browser). The client will involve the authorizing party as necessary through interaction mechanisms indicated by the protocol. 

 

Additionally, the delegation process will allow for:

 

- Fine-grained specification of resource access

- Approval of identity claims and multiple resources in a single interaction

- Delegation between multiple users

- Web, mobile, single-page, and other types of client applications

 

The group will define extension points for this protocol to allow for flexibility in areas including:

 

- Cryptographic agility for keys, message signatures, and proof of possession 

- User interaction mechanisms including web and non-web methods

- Mechanisms for providing user, software, organization, and other pieces of information used in authorization decisions

- Token presentation mechanisms and key bindings

 

Additionally, the group will provide mechanisms for management of the protocol lifecycle including:

 

- Discovery of the authorization server

- Revocation of active tokens

- Query of token rights by resource servers

 

Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new protocol where possible.

While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3, and will strive to enable simple mapping to other protocols such as COAP.

 

On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

 

Hey

 

I've written an alternative charter that I hope captures some of the feedback on Justin's charter.

 

I found it easier to rewrite the charter to broaden the marketplace of ideas. 

 

Key ideas:

 

- This work supports existing OAuth 2.0, and OpenID Connect use cases.

 

- The client interacts directly with the authorization server. 

 

/Dick

 

----

 

This group is chartered to develop a delegated identity and authorization protocol.. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated by redirecting the user's browser to an authorization server, this protocol will be initiated by the client directly interacting with the authorization server..


Additionally, the protocol will allow:

- fine-grained specification of resource access

- the user to approve requests for identity claims and access to multiple resources in one interaction

- web, mobile, single-page, and other client applications

- taking advantage of optimization features in HTTP2 and HTTP3


The group will define extension points for this protocol to allow for flexibility in areas including:


- discovery of the authorization server

- cryptographic agility for keys, message signatures, and proof of possession 

- user interaction mechanisms including web and non-web methods- token presentation mechanisms and key bindings


Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse existing semantics such as client identifiers, OAuth 2.0 scopes and access tokens, and OpenID Connect ID Tokens and claims.


While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will strive to enable simple mapping to other protocols such as COAP.

 

 

ᐧ

-- 
Txauth mailing list
Txauth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

 

-- 
Txauth mailing list
Txauth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

-- 

Sent from a mobile device, please excuse any typos

-- Txauth mailing list Txauth@ietf.org https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email