[Wimse] Re: Token Exchange and Translation Protocol

"Flemming Andreasen (fandreas)" <fandreas@cisco.com> Wed, 31 July 2024 21:03 UTC

Return-Path: <fandreas@cisco.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10172C14F609 for <wimse@ietfa.amsl.com>; Wed, 31 Jul 2024 14:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.742
X-Spam-Level:
X-Spam-Status: No, score=-9.742 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GPYtv_K6bQVf for <wimse@ietfa.amsl.com>; Wed, 31 Jul 2024 14:03:42 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC254C14F5EB for <wimse@ietf.org>; Wed, 31 Jul 2024 14:03:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=19459; q=dns/txt; s=iport; t=1722459822; x=1723669422; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zrvUdkMrblCvDJxCe7FigN91XHkY1S5AcqL58fj5pdg=; b=G1HY/1bgPUiihKUWqiu3lNUA5cRcHssM/DhLEr7pWta2tL/B+y+MYG03 7OZMAPvMPYyB/I8Z2YiDFj2AKXTxPkKBvg3xt6xmY8lMF+xaiPryQCQ13 pIEmukiAPMzbXYxkOjVBtA7/8E+Dm9c8O8ChTQJkZ+E+2KZxX+3gyx6hk M=;
X-CSE-ConnectionGUID: +dvb/FIERreZ6l9jZ5HTeQ==
X-CSE-MsgGUID: WGpi+jBNTJ2QEn0TZSoe+A==
X-IPAS-Result: A0AUAABNpapmmJBdJa1RCRwBAQEBAQEHAQESAQEEBAEBZYEYBQEBCwGBQDEqKHsCgRxIhFWDTAOFLYhxgRaQMoV3hlUUgWoPAQEBDQEBOwkEAQGFBgIWiS8CJjYHDgECBAEBAQEDAgMBAQEBAQEBAQEFAQEFAQEBAgEHBRQBAQEBAQEBATcFDjuFdQ2GXgIBAxILBisgBgUQAgEIPwMCAgIuARQRAgQIBgUCAQEZBAGCXgGCHEgDARAGnzgBgUACiih6gTKBAYNsQdtqBoFIAYg8ASiBMgICiHcnG4FJRIEVJwuCQDg+gmECAQEBgSgBCAoBg3yCaQSBQSQCAgKCCwIDAgQ1B34hgSUCEwNlbkgCAUQgMg+BTAKCJIJcAlQFAQMBAwEBBQ8sPQOBMQgWcCiBOystVR0eWxwMQIEUXAFVfCQCVEsCAQECBwIEgQuBPUGCZgoCAgICAgICAgICAgICAoFbhiJSdSIDJjMhAhEBVRMXCwkFiUwKgyMpgUkmgQuDDjh9FYNkgWsMYYhUgQ+BPoFfAYM/S4NngX+BCoIKHUACAQttPTUJCxsGo18EDiMBgw0JERVGagEDLyICWA4kOwgDDwUeAi4WIA+SUkuDLos4hBefRgqEFYwUglWSVQYPBC+EBY0AmFVkmHCLG4JglUsEC4UWAgQCBAUCDwEBBoFtATNrXQwHcBU7gmdSGQ+OLQ0JgQwBCYdWxyp4AjkCBwEKAQEDCYoLYAEB
IronPort-PHdr: A9a23:V7ou2xwdJ2dypNnXCzPsngc9DxPP853uNQITr50/hK0LLuKo/o/pO wrU4vA+xFPKXICO8/tfkKKWqKHvX2Uc/IyM+G4Pap1CVhIJyI0WkgUsDdTDCBjTJ//xZCt8F 8NHPGI=
IronPort-Data: A9a23:Om6wyqI5JF+VMNgbFE+R25UlxSXFcZb7ZxGr2PjKsXjdYENSgWAHy WNJCj3TPKnfa2agf992Odnj8k9V78Dcn9AxGwEd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcYZpCCaa/krwWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVvc0 T/Oi5eHYgP9hGUtaj58B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN0tAF88eqM519xtDFMQ8 a0aGm0tUh260rfeLLKTEoGAh+w5J8XteYgYoHwlnXfSDO0tRtbIRKCiCd1whWhrwJsRW6eFI ZNFNVKDbzyYC/FLElkeDp4kke6zrnL+aDZf7lmSoMLb5kCJl1EgjOm2aYG9ltqieupNnwWaj ET63T7ALxdCCO6kzjfG2yf57gPItXimAN1JTuLQGuRRqEKSw3ceIBwbSVX9puO24nNSQPpFI EASvyEpt6V3pAqgT8L2WFuzp3vsUgMgt8R4UOEk4kaj64fu+QurWGxVTAwcSOArjZpjLdA17 WOhk9TsDD1plbSaT3OB67uZxQ9e3wBLcAfuggdaEWM4D8nfnW0lsv7Yoj9e/EOdlNb5H3T7x CqH6Xh4jLQIhslN3KK+lbwmv95OjsaUJuLWzlyLNo5A0u+fTNX/D2BPwQOAhcus1K7DEjG8U IEswqByFtwmA5CXjzCqS+4QBryv7PvtGGSD2wQ1T8VxrGnwpiHLkWVsDNdWeRgB3iEsJG+BX aMvkVkKjHOuFCLwNPYsMtjZ5zoCkfi6To6Nug/ogipmOcUpK1Tdo0mClGab3nvmlwA3gLojN JKAOceqBjByNEiU5GTeegvp6pdynnpW7TqKHfjTlk37uZLAPyT9YelebzOzghURsfnsTPP9q YgPbqNnCnx3DYXDX8Ug2dRKdwtVdCdkW82eRg4+XrfrHzeK0VoJUpf56bggYIdi2a9Sk4/1E ruVAye0FHKXaaX7FDi3
IronPort-HdrOrdr: A9a23:KaR8oaHwUeIuFyihpLqFqJLXdLJyesId70hD6qkvc203TiXIra CTdaogtCMc0AxhJk3I+ertBEGBKUmsk6KdkrNhTItKPTOW91dAQ7sSl7cKrweQfxEWs9Qtqp uIEJIORuEYb2IK8PoSiTPQe71Psbv3lZxAx92us0uFJjsaEp2Imj0JcTpzZXcGPDWua6BJc6 a0145snRblU3IRaciwG3kCWMb+h/CjrvjbSC9DLSQKrC2Vgx2VyJOSKXWlNxElPA9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDLNbksLlUFhzcziKTIKhxUbyLuz445Mu17kwxrd XKqxA8e+xu9nLqeH2vqxeF4Xii7N9u0Q6h9baruwqmnSXLfkN8NyOHv/MeTvLt0TtkgDi76t MT44vWjesOMfqKplWM2zGBbWAYqqPzmwtirQbW5EYvC7f3r9Rq3NciFAk+KuZzIAvqrI8gC+ VgF8fa+bJfdk6bdWnQui11zMWrRWlbJGbNfqEugL3c79FtpgEz82IIgMgE2nsQ/pM0TJdJo+ zCL6RzjblLCssbd7h0CusNSda+TjWle2OBDEuCZVD8UK0XMXPErJD6pL0z+eGxYZQNiJ8/go 7IXl9UvXM7P0juFcqN1ptW9Q2lehTxYR39jsVFo5RpsLz1Q7TmdSWFVVA1isOl5+4SB8XKMs zDca6+w8WTW1cGNbw5qDEWAaMiXEX2ePdlzuoGZw==
X-Talos-CUID: 9a23:ISkQ32GWLu511/52qmIk+FAeXe4EX0fHwUWOJx66OztJdLCsHAo=
X-Talos-MUID: 9a23:Aul3vwrUscdj+ZF1pjIezw5NLMYr4Y6INGJXqLgA4/W2Dit9eB7I2Q==
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Jul 2024 21:03:40 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 46VL3eCM012322 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <wimse@ietf.org>; Wed, 31 Jul 2024 21:03:40 GMT
X-CSE-ConnectionGUID: YmRTWWVcSt62gZp7Rfiy1Q==
X-CSE-MsgGUID: ESE/ikgyR3atr5Eghvd1Tw==
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.09,251,1716249600"; d="scan'208,217";a="39332482"
Received: from mail-dm6nam10lp2101.outbound.protection.outlook.com (HELO NAM10-DM6-obe.outbound.protection.outlook.com) ([104.47.58.101]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Jul 2024 21:03:40 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=v7dSi571+8IXL+Wa7NmZWLr/YDq9yNXtCupjg/zC2A6upBrJrfmKwQ4AxPvq7d5h6SQhhNYVYDI1GR9qCIERkxUqq48mv6je2xQIwyQgvKOgKXuQmjZl3c3jbh7gWyxdpaZUzhNiz5A8jUQTJujQ9q1CKQcLTAZtGAOrcQD3vwgVwQmS5aPdjFIEnQ9Uem5h4XWOKyZbRL8RTXxue1ieprlPQDOIK3FWPr84R1BhNvRYca/QCaeKZrp+KijsVn69+Qrp0gHHhq4Rnl9ARNdpPfvieogvCz1xb+a8ZGKtA9nY0QN2SRRU6goLQTHwhIGUaUGytkOhBLZlr5RbDgMszg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zrvUdkMrblCvDJxCe7FigN91XHkY1S5AcqL58fj5pdg=; b=w1H0+a3Izu5LN9avXOOKVHaPj7Q/V91Yt9fgIPms2hfYMiJ9QOhpVt4Xzt8QNvu1Wv0DzzpcouBALmloXZH+QuiGtpJcrCgwN00GKNj3q1SjwNOlQaEDW6JPIRKKo4ATJ9ipn/yN/ZAojujq+SxFJ+3NPYx1t9Yzb9WHIJjjuRtFMfHgrRnm486y/OT+4cvVSLUEHzOlO29v0/bSC2Y1lJ+9MViBvwu/x+X0SRHFxc+XdKIt5yLJcMw6aa+G3srtzDCRHSaSxNhD2FE8pVbEY+r0hJvCws212FJfVKDiOLLECz7XczMt7MqKbGzdCaYvHDgn7IJazSwaiPk5h4391A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from MN2PR11MB4760.namprd11.prod.outlook.com (2603:10b6:208:266::22) by CO1PR11MB4850.namprd11.prod.outlook.com (2603:10b6:303:9c::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Wed, 31 Jul 2024 21:03:38 +0000
Received: from MN2PR11MB4760.namprd11.prod.outlook.com ([fe80::c0c3:62b9:7fc2:b66a]) by MN2PR11MB4760.namprd11.prod.outlook.com ([fe80::c0c3:62b9:7fc2:b66a%4]) with mapi id 15.20.7807.026; Wed, 31 Jul 2024 21:03:38 +0000
From: "Flemming Andreasen (fandreas)" <fandreas@cisco.com>
To: Dean Saxe <dean.saxe=40beyondidentity.com@dmarc.ietf.org>
Thread-Topic: [Wimse] Re: Token Exchange and Translation Protocol
Thread-Index: AQHa43ovpYmJ3XcQ3kyD11zoJ+oX0LIRU0MA
Date: Wed, 31 Jul 2024 21:03:38 +0000
Message-ID: <970c8541-ce9d-4869-9397-a648734ed72b@cisco.com>
References: <17054C45-D280-4F6D-92FA-69780E697C69@mit.edu> <a48794ca-6c54-4643-990b-88a06bd08c9b@cisco.com> <CALH0CC19PEpPZvEE=JNW4y-Y8Ew5tbMLtGKq9-qVcrECtD8RCA@mail.gmail.com>
In-Reply-To: <CALH0CC19PEpPZvEE=JNW4y-Y8Ew5tbMLtGKq9-qVcrECtD8RCA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla Thunderbird
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR11MB4760:EE_|CO1PR11MB4850:EE_
x-ms-office365-filtering-correlation-id: 0da68c51-1c40-4402-6e68-08dcb1a43fc5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: uK5KeRzhpJq0/BrUrDPGUYn0bJA1ZP2CWU22PlUixW8064+R9dPQh6KLvnz0JY35XwhA1BFt4oIsaPnVI+jZxo1zVVkkRWojlULFJlO6EAHyQjajG0gLmkReASRYR5I/AqcF4xopLEHKlHHuyEjrGm8Yh8HXC2db+s3lhvTYJn+d5n+6cNgV9xYH5EimpaFq36rxiH9Ku+6DhZYcw2d68xHWLRMTRnuk+0hvQ5VcXQqW24ubbFgXTHabIWDxEu1/CXoJrThllgSNIkxT9zw4O5zX7mAAMarCgfTkdRXkmzslY038hSS5DD5kaivuTU4wHdBhbsA4YCwoT6wokQGW/P7VTV2PZWPJPZvwddIHR76b3knr967+hVQ6lFTsnCtl5ClXpadtS2/M8ig4SWH0MhTVGHXPaKgsoLaUSTij0GdQ4OoMVTyFzsgnG/TJY8X81h0GMAoACUbx6e6cjsclVy/dQfZzYOUQZ63Fu3zHispU/qrDo3M2RqoOOdjGNdAvyfgTpZJjfFEjJgDucT7CQH4b8Qs6jacpxA8+4z9sBbWsQrhjdzV0BfulltinIe45vM5hpS9GAZxq8HLq4M+MmPTwB8a38vg26A+KeqT+Zd9fqkreq9ng+4v34PGNsp+xWayXHy3EuZbgP10kuZFe4h7/uLIn/CMLaE+HYpNOacDQeTnwdVgWeOT5Bo4HycRzYY7yOsudguVLt7s2xcMavO6nP7J/J75+SmkxO7W2z19+6aC/wvD8KhFCdsQVfHqlX2YnzeO5U/ug1P/fhOw/7qTqfHEPc8OW4lGYSSyyu9X3gFOixS2JSXG45GyaKl2m4VIps46HqK6HXXXUgIjVP5zMDzeJqOmxs0IG5x8xeE0U7k2QxxA8U/Tn31zAr1CIZMvg2PUZyE2JCxsDatSWYQYLMYD6EyEXNwNNeGbyAeTjD4ca1ob8PqAkEDsNv8grR5CU57huoXkNBPzeWrAV/5hvsrTRWlTnTBA7U7RBOPhGqO+TMWgWrZFhU/OfPv0RWejn23+ur9WHAJrqfKuOorCXVUKFuRjVLsMQQ/y0do3tGPM9T1z6dhLAMp5J7Pr625oGtph1l1kgljDUvaqiJIfx5iqpSbnRGiMIf0/f+v+hTM464/sGxaAHWZ6buQuFr+roHMx/FBVhj183DMOs36PphGOYnoJpkM3ioR+ojxXmbOOLJHQDt6/y0PDbQhsEEv6qekZasjfUvPhXPF69xWVwtFDgnQwW+RyEQMntKlmYQNj9iuem1SZ6Z9RMdmC+EGsv+W8S+jyHjfdFfuLC527MtZ08LFkjSpLqcsXBm+yEscfE8PzO5HZjocZJ0iiphQvv9D6lTthKW8DIkORMmEXZ7bM5LUeZoLee4f2TIVg=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB4760.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mkYIyK4H/deF+w8liiEJ5pOnPIH1nCCmOD6qd2cTCxyHnseZCi063XGoJb1ttZw7tg0QKbD/Iy64mHRjOV4l2XsS8+u/snnPYwn0FaqGTq6VTL8B9w7L8B30HBkfTfrUbAdE75fqIoVgwctS11j6e/WQvIgiCfAi0k2aqxTK5ewL7/dfReVSqQG97oQX1Wp5utGmV7VmfBhiiTFtIJsE9FhKbsUJurFxcpkzZePXgc8lkJkIB0nv6Lt+VGbdBkdbZWXaQ/So/VaRGstFNv+Wz9WSqFzD0QtRJLA/EggY/fuPPG20fI5+CC0mNBY4n+6yZkYzTgPl/joYY+bVRrwtqFX8Z+wPxZGl04vd5eDxa01BO492yZNDUKspbZsMyJTTwUGPCaztQ/rOuW5aQLbEW673o+2CD8gvXvc2Y5dubQwtC461RMq0dL6eGT0+S551wOlrJwHFpMxWu4OiLPFE1Egg89Dck1VaCho1XGLOzyIQDxddmp00zyz9NLwOiBHTxYxx8J7Ln+1/2CEjgaCYiINIDnwZBJT9JvFXh5O2LASo4VXewKsbrDmBjai0NtzGJ6w8zGc3V9eRAK78aHnDEb9DJKyeZ6F2KAtgZIV0Y9K6pz0CXguHdA60DrGwlCd0CTEfNsajCIZW0JULdI01aIZeYPjyCtaJYnwFCNI9yZPdhtQBqXm+s2geM+NR9OylyX6Aw+Y+ZZzmJfGsmoy/wSFmAaVMTbsZNHG+xF4RW/ttspk8D0JmkeGs/5KXMTKQShHqeCEFPjqhn4Q9Gr3QQDZQJkfpZFTwHvckxs+RjGQ+WZLPDsl6xqGthXrSLNfIoqsWEh98Ex5J4whGtOaaqfgbIQdHt66N36jGoozDnhSX9vpMAK4Rq1gtE1DQCPQuSkiasZ0aBO5uxrDwf9Fu3nloP9MQ2Bs/tPlzOEIRiGTYbMw3vUpNxtKhvCYHtkyDMwFNpxzHnWxi89LxPCopb354Z7gGiZdWgWBZprb6ZJ6hf9OqTSmnQMqKVmxj9HVBLVqOgQtqJMYrtNGs4qfNkwKV7DoYufG6XvKZlc7DG0QIy0fyOO8YQCR8UyFKr+GgqnYMf7uEcy8k3HlMsNPHOngRyOYwNrS6ukOx2jAeP+eRYhnQkxN5IocfDq1tKw9WrDzXrI4FczxA/l30b01lcmKlAu6WQ8o29CH/S/gtBR9xrsz0r0//qoQ3PzNToP6jSgMsJt02gyl9/0fEz4Z4fLyttMjjJ1FqMSQETQOLqokt0cdQzL0nXq5GSjYG9FaAeQl5r/OuMOMI6kizcjNiV9zDvGZcq4P6yTT62edeO1GLt/M+x3FtpJj8raReqSTv0/B/ygre6fJL82qIJEsKEJyfwdEo9Oo56Boa+5xmkmlC7awa4RTKqOYej79hqXPaWGFJ17FPZnBrBEnBJgcQWCXX+kkkNtxQjZAXDucjE8sXghAH/sgvtHrUQSPVUWKNXX/w7sJt38pQyu0UT/Cwp31u6usT6rqJ9/AZCPfZFKmCAjuFYWGW/rym/qM88yXOdfbTfcJ4jQHP0ieLmWi1IFfd5Q7UdhKchCRLYogTfVKpB5B9dLHrAiIXLNhwXrgM
Content-Type: multipart/alternative; boundary="_000_970c8541ce9d48699397a648734ed72bciscocom_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4760.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0da68c51-1c40-4402-6e68-08dcb1a43fc5
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2024 21:03:38.1988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2Fvr0UdzmB1G1I/cYH1u72j3mnSv5EBf5hOR3s6DZLlG8jEoq1p3Q1EaAA6Jhv89beZvmTb2Qe24QU9UAeybXQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4850
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Message-ID-Hash: HO67Q5HZOAE5JJSMRPFAVGQAVI5OBRUP
X-Message-ID-Hash: HO67Q5HZOAE5JJSMRPFAVGQAVI5OBRUP
X-MailFrom: fandreas@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Token Exchange and Translation Protocol
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/5uEFzZF8oU6u6_8VIbiUh8YqR2E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Hi Dean

I think we are largely on the same page here. Wrt. the use cases I-D, I assume you are referring to https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html ? If so, that draft expired in February, and I'm not clear on what the intent of it is going forward. Regardless, when you look at the use cases described in there, I don't see anything specifically talking about token exchange/translation. I think I generally understand the notion of token exchange based on RFC 8693, however I'm less clear on token translation as defined in the draft. The AWS-to-SPIFFE scenario described in the draft makes sense, and I am asking for more such examples to help guide the specific translations we shold be focusing on (profiles). From a documentation point of view, I like the more descriptive style of some of the use cases, but I also recognize the value of the user story approach taken in the use-cases draft above - a combination of the two would be ideal from my point of view.

Cheers

-- Flemming


On 7/31/24 14:47, Dean Saxe wrote:
Flemming,

Thank you again for the feedback.


For IETF 120 the most important output (IMHO) was to frame up the problem space and an approach to solving for the use cases we identified.  The doc is rough and at a high level because we really needed feedback to inform the next steps - are we approaching this problem from the right perspective?  Are we missing something in the existing RFCs?

I agree that there’s more work to be done on the use cases draft to inform this document.

Additional commentary/questions inline below.

-dhs
--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/>
Principal Engineer, Office of the CTO
Beyond Identity
dean.saxe@beyondidentity.com<mailto:dean.saxe@beyondidentity.com>




On Jul 30, 2024 at 6:16:23 PM, Flemming Andreasen (fandreas) <fandreas=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
We have a charter item corresponding to this document and I don't see any other candidate documents at this time, so I vote for A.

The document is pretty rough though and mostly introduces some of the problems to consider. Additionally, the document would benefit from the following:
- More work on the requirements to feed into this document (per separate e-mail thread on requirements)
- A set of representative use case scenarios to illustrate what we are after. This is especially important for the "token translation" scenarios.

How is this different from the use cases described in the use cases I-D?  Are these more concrete examples or something entirely different?

- Clarity on whether we aim to use (/profile) RFC 8693 for "token translation" or whether that is only for "token exchange"

I have an action item to follow up with Brian Campbell on this as discussed in the WG last week.


- Clarity on which token formats we want to be able to translate/exchange. While the document notes that these will be provided as "translation profiles", we shold understand the target ones early on, and develop at least some of them in parallel with the basic translation/exchange protocol.

I am supportive of developing the profiles side-by-side with this ID.  I thought I had said that in the meeting, but if I did not, that was my intent.  My thought process was to enable profiles to be developed on a separate track to allow the WG to deliver RFC candidates more quickly without allowing one profile to bog down the work on the larger token translation doc.

If you have suggested token translations to focus on in the near term, please let me know.



Cheers

-- Flemming


On 7/29/24 08:25, Justin Richer wrote:
Following discussion in Vancouver, the chairs would like to begin discussion on what the next steps should be for the Token Exchange and Translation Protocol document [1], an output of the Token Exchange Design Team. This is not a call for adoption as there was a clear indication in the room that the document was not yet ready for this stage.

Please reply to the list to indicate that:

A: You believe this document should be developed into a state that the WG can adopt it. (Please discuss what you believe would be required changes for this. Please keep in mind that a call for adoption is a starting point for a document, not a finished document.)

B: You believe this document should NOT be developed further by the WG. (Please indicate why if possible)

C: You need more information before making this decision. (Please indicate what information you’d need)

D: You don’t give a flying rat about this document (i.e., this is not a topic you care strongly about)


Please reply to the list by August 12th, 2024.

— Justin and Pieter

[1] https://datatracker.ietf.org/doc/draft-saxe-wimse-token-exchange-and-translation/





--
Wimse mailing list -- wimse@ietf.org<mailto:wimse@ietf.org>
To unsubscribe send an email to wimse-leave@ietf.org<mailto:wimse-leave@ietf.org>