Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 20 January 2016 04:37 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C081C1A1B84 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 20:37:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Level:
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJGbIUw4dV17 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 20:37:40 -0800 (PST)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id A3ACC1A1B6A for <oauth@ietf.org>; Tue, 19 Jan 2016 20:37:38 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,319,1449493200"; d="scan'208";a="142839992"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipocvi.tcif.telstra.com.au with ESMTP; 20 Jan 2016 15:37:35 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8049"; a="65744862"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipcavi.tcif.telstra.com.au with ESMTP; 20 Jan 2016 15:37:35 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([2002:ac31:2854::ac31:2854]) with mapi; Wed, 20 Jan 2016 15:37:34 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Date: Wed, 20 Jan 2016 15:37:33 +1100
Thread-Topic: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
Thread-Index: AdFSr11PUssgD816QTiFUWwupJG0PQAhiH1g
Message-ID: <255B9BB34FB7D647A506DC292726F6E13BB6958F55@WSMSG3153V.srv.dir.telstra.com>
References: <569E2276.5070407@gmx.net>
In-Reply-To: <569E2276.5070407@gmx.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_nJ8WH9NnEy0XXDYc_W4HRj7hH8>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 04:37:41 -0000

Accepting draft-jones-oauth-amr-values-03 is almost okay as a starting point for work.
I would like to see significant changes though:

* The "amr_values" parameter should be dropped; it just encourages brittle designs as section 4 "relationship to acr" and section 6 "security considerations" already warn about. There is no need to enable that brittleness. If someone really wants this functionality they could put an amr value in the "acr_values" field as a hack.

* The model for amr_values is wrong as well. For example, "amr":["pwd","otp"] could be a common response that you want, but you cannot ask for that with amr_values since amr_values="pwd otp" actually means just "pwd", or just "otp" is okay (and just "pwd" is your preference).

* Registering values on a "Specification Required" basis is over-the-top. This doc registers 8 amr values with just a few words as each value's "specification" (eg "eye": retina scan biometric). Each of the other 7 amr values are "specified" in a few lines with a reference (or two). A "First Come First Served" basis is probably sufficient, with the "specification" just the description in the registry (that can include references).

--
James Manger


-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Tuesday, 19 January 2016 10:48 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

Hi all,

this is the call for adoption of Authentication Method Reference Values, see
https://tools.ietf.org/html/draft-jones-oauth-amr-values-03

Please let us know by Feb 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.

Note: The feedback during the Yokohama meeting was inconclusive, namely
9 for / zero against / 6 persons need more information.

You feedback will therefore be important to find out whether we should do this work in the OAuth working group.

Ciao
Hannes & Derek