Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

John Bradley <ve7jtb@ve7jtb.com> Wed, 20 January 2016 22:07 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22DA21AD2B2 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id heaPO4uGwfEA for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:07:30 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD6D21AD2C0 for <oauth@ietf.org>; Wed, 20 Jan 2016 14:07:29 -0800 (PST)
Received: by mail-qg0-x22d.google.com with SMTP id 6so17918087qgy.1 for <oauth@ietf.org>; Wed, 20 Jan 2016 14:07:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=MzQ1pKc4Nn6NkEzhzYhGPJFlXivNcPUqhEXNOJ3dOzU=; b=WafZxOHX6cMtnsnbUoiiqabODzE3Ydg+CwU91t8BViExLY0IPn+1sIdLnNLnxdLxhE PDt1nmhUmFACMZeWWmK0F1Et+AiQQiOkPCPa7fJmRQLm8aDTGOWjsYKWWRnYTvpck5V6 /hdMmxt5qgVR8VbI78TOEvuZ2XZ0x1nPMGqYO+VBA4lHP0oUC1ZrdpKkruUMSW7n1ahG CYERW/0mD56yadaTpyWPH2OcS3+HEppjWfLYuGPwRLPUQjdHGow+BcLH57EABSnEeCf2 tgsyJ5Fwr/LTPMzHPmUZF25v+RVb3BF2qGTk2lTms08rm/4+VQ+XwxBO0j1LKWnyIv8/ 7Brg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=MzQ1pKc4Nn6NkEzhzYhGPJFlXivNcPUqhEXNOJ3dOzU=; b=FHzw8SdTiDO7rJbBq/TS+r0ylnK1L2/4AYMqP7DH+dwVXOhETP9xOwIw0t1leUtnYl L3XMWtCl+BEwWMCFZ6DzSrm5TkqPnEk9VCRE+9mSDoYaAHrEl6bMB4HiwRGySQ8GMB4y 9KWjROTmw1Y1DtJvAHFIIghTKnkyJ4s1SQRI9YmIs8jnksuftUVCs/NuShJ9GL1tLMau TzEz41emlRirD2dkRwWOP3Z4wVj+I/SCXNHOplMz/PDo7SnhwGf1in48DTWRFdKjAD3/ WmDnrty56FJkeUi1ZNaHNWAfHfpxDe33rGBpfGjIjfbsy8+ABMAs0inLxebmYN958HGg qTtw==
X-Gm-Message-State: ALoCoQlVinDiZcPcYJuFQafJII/ZlNkAsdMRWHhVUi2euEnHHsTxsyirCUZq0ypuptWNpZLZNJvXX3w85z4Ay/QzW9YD5cbTaQ==
X-Received: by 10.140.35.115 with SMTP id m106mr47638671qgm.13.1453327649017; Wed, 20 Jan 2016 14:07:29 -0800 (PST)
Received: from [192.168.8.101] ([181.202.164.7]) by smtp.gmail.com with ESMTPSA id s103sm15143560qge.3.2016.01.20.14.07.27 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Jan 2016 14:07:28 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_EBE9EE38-330B-44CE-BA96-C7372E3686D9"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BY2PR03MB442067CA10AADEAA3E974A6F5C20@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Wed, 20 Jan 2016 19:07:25 -0300
Message-Id: <C10A8618-9939-4B04-845E-61C95F5ECAA4@ve7jtb.com>
References: <569E2276.5070407@gmx.net> <8A2DAF46-BAF7-439D-8FE3-65EA2DA8E692@mit.edu> <47F7D0BA-8E98-4E37-BA84-D128C0FD8396@ve7jtb.com> <BY2PR03MB442067CA10AADEAA3E974A6F5C20@BY2PR03MB442.namprd03.prod.outlook.com>
To: Michael Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/XbzyozhG6NThnCrY4i_NigRKQcY>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 22:07:32 -0000

So if this is scoped to be a registry for the values of a JWT claim then it is fine.
We should discourage people from thinking that it is part of the OAuth protocol vs JWT claims.

John B.

> On Jan 20, 2016, at 6:29 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> The primary purpose of the specification is to establish a registry for "amr" JWT claim values.  This is important, as it increases interoperability among implementations using this claim.
> 
> It's a fair question whether "requested_amr" should be kept or dropped.  I agree with John and James that it's bad architecture.  I put it in the -00 individual draft to document existing practice.  I suspect that should the draft is adopted by the working group as a starting point, one of the first things the working group will want to decide is whether to drop it.  I suspect that I know how this will come out and I won't be sad, architecturally, to see it go.
> 
> As to whether this belongs in the OAuth working group, long ago it was decided that JWT and JWT claim definitions were within scope of the OAuth working group.  That ship has long ago sailed, both in terms of RFC 7519 and it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, which defines a new JWT claim, and is in the RFC Editor Queue.  Defining a registry for values of the "amr" claim, which is registered in the OAuth-established registry at http://www.iana.org/assignments/jwt, is squarely within the OAuth WG's mission for the creation and stewardship of JWT.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Wednesday, January 20, 2016 12:44 PM
> To: Justin Richer <jricher@mit.edu>
> Cc: <oauth@ietf.org> <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
> 
> I see your point that it is a fine line reporting how a person authenticated to a Authorization endpoit (it might be by SAML etc) and encouraging people to use OAuth for Authentication.
> 
> We already have the amr response in connect.  The only thing really missing is a registry.  Unless this is a sneaky way to get requested_amr into Connect?
> 
> John B.
>> On Jan 20, 2016, at 5:37 PM, Justin Richer <jricher@mit.edu> wrote:
>> 
>> Just reiterating my stance that this document detailing user authentication methods has no place in the OAuth working group.
>> 
>> — Justin
>> 
>>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> 
>>> Hi all,
>>> 
>>> this is the call for adoption of Authentication Method Reference 
>>> Values, see
>>> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03
>>> 
>>> Please let us know by Feb 2nd whether you accept / object to the 
>>> adoption of this document as a starting point for work in the OAuth 
>>> working group.
>>> 
>>> Note: The feedback during the Yokohama meeting was inconclusive, 
>>> namely
>>> 9 for / zero against / 6 persons need more information.
>>> 
>>> You feedback will therefore be important to find out whether we 
>>> should do this work in the OAuth working group.
>>> 
>>> Ciao
>>> Hannes & Derek
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>