idnits 2.17.1 draft-hamrick-ogp-launch-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 26, 2009) is 5418 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-hammer-oauth-02 ** Downref: Normative reference to an Informational draft: draft-hammer-oauth (ref. 'I-D.hammer-oauth') == Outdated reference: A later version (-01) exists of draft-hamrick-ogp-auth-00 -- Possible downref: Non-RFC (?) normative reference: ref. 'OPENID' ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) -- No information found for draft-hamrick-llsd - is the name correct? -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Hamrick 3 Internet-Draft Linden Research, Inc. 4 Intended status: Standards Track J. Hurliman 5 Expires: December 28, 2009 Intel Corporation 6 June 26, 2009 8 Open Grid Protocol : Client Application Launch Message 9 draft-hamrick-ogp-launch-00 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on December 28, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This document describes the LLIDL interface description for the Open 48 Grid Protocol (OGP) Client Application Launch message format. 50 Messages in this format are intended to be used in conjunction with 51 standard web authentication or authorization technologies such as 52 OpenID or OAuth. This document describes the message format, the 53 processing expectations and three MIME types that may be used to 54 identify requests to initiate a virtual worlds session. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 60 2. The OGP Client Application Launch Message Format . . . . . . . 3 61 3. Processing Expectations . . . . . . . . . . . . . . . . . . . 4 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 63 5. MIME Type Registrations . . . . . . . . . . . . . . . . . . . 6 64 5.1. MIME Type Registration for application/ogpcal+xml . . . . 7 65 5.2. MIME Type Registration for application/ogpcal+json . . . . 8 66 5.3. MIME Type Registration for application/ogpcal+binary . . . 9 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 69 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 70 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 73 1. Introduction 75 Web authentication protocols such as OpenID [OPENID] and web 76 authorization protocols such as OAuth [I-D.hammer-oauth] are of 77 increasing interest to the internet community. They have great 78 utility in web-based application environments. Best practice for 79 their use in conjunction with applications that do not expose a HTML 80 rendering interface is less clear. Virtual World (VW) client 81 applications, for instance, are often implemented as "desktop 82 applications" instead of "web apps". This introduces difficulty in 83 using web based authentication and authorization protocols to 84 initiate a virtual world session. 86 OpenID and OAuth traditionally use a HTTP redirect [RFC2616] after 87 user or token authentication to begin an authorized session with a 88 web application. Desktop applications do not generally have a URI to 89 act as the target of HTTP redirection. 91 One possible solution to this problem is to register a unique MIME 92 type [RFC2046] with the user's web browser and following succesful 93 user or token authentication, redirect the user's web browser to a 94 resource with that MIME type. Upon receipt of such a resource, a 95 properly configured web browser should launch the client application. 97 This document describes the format of a web resource suitable for 98 signaling the user's web browser to launch a virtual world client 99 application that uses Open Grid Protocol (OGP) Authentication 100 [I-D.hamrick-ogp-auth] to establish a session between the client 101 application and network resources implementing the virtual world. 103 1.1. Requirements Language 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 107 document are to be interpreted as described in RFC 2119 [RFC2119]. 109 2. The OGP Client Application Launch Message Format 111 The Client Application Launch message is an LLSD [I-D.hamrick-llsd] 112 message, defined by the LLIDL below. It may be transmitted in XML, 113 JSON or Binary format, at the web server's convenience. Compliant 114 client applications SHOULD support XML, JSON and Binary serialization 115 formats. 117 & authenticator = { 118 type : 'hash', 119 algorithm : 'sha256', 120 secret : binary 121 } 123 & identifier = { 124 type: 'account', 125 account_name: string, 126 first_name: string, 127 last_name: string, 128 } 130 & identifier = { 131 type: 'agent', 132 first_name: string, 133 last_name: string, 134 } 136 & request = { 137 authenticator : & authenticator, 138 identifier : & identifier, 139 loginuri : uri, 140 region : uri 141 } 143 %% launch_request -> & request <- undef 145 Figure 1 : OGP Client Application Launch Message 147 3. Processing Expectations 149 The OGP Client Application Launch Message is intended to be sent by a 150 web server to a web browser following successful web authentication. 151 Requirements for web authentication are explicitly not defined in 152 this document, and left as a responsibility of the authenticating web 153 service. 155 The message flow for receiving a client application launch message is 156 as follows: 158 +------------------+ 2. +------------------+ 159 | |---------------->| | 160 | Web Auth Service | 3. | OGP Agent Domain | 161 | |<----------------| | 162 +------------------+ +------------------+ 163 ^ | ^ 164 1. | | 4. | 6. 165 | v | 166 +------------------+ 5. +------------------+ 167 | |---------------->| | 168 | Web Browser | | OGP Client App | 169 | | | | 170 +------------------+ +------------------+ 172 Figure 2 : Message Flow For Client Application Launch Requests 174 0. Registering MIME types as Web Browser Helper Applications The 175 technique defined in this document depends on the traditional web 176 browser capability to define a "helper application" when the 177 browser receives a MIME type it cannot handle itself. Compliant 178 OGP Client Applications SHOULD register themselves as the helper 179 application for the three MIME types listed in IANA 180 Considerations (Section 4) below. 182 The exact technique used to register the client application with 183 the OGP Client Application Launch Message is beyond the scope of 184 this document. 186 1. Web Client to Web Server Authentication / Authorization The 187 process of launching an OGP client application using a web based 188 authentication or authorization system begins with successful 189 user authentication or token authentication. It is traditional 190 in these systems for the user's web browser to be redirected to a 191 web based application following authentication. This document 192 assumes the user's web browser will instead be redirected to an 193 HTTP or HTTPS URI that will eventually respond with a Client 194 Application Launch Message. 196 The exact nature of the web-based authentication or authorization 197 scheme used is beyond the scope of this document. 199 2. One Time Password Request Before the web service responsible for 200 communicating the launch message to the user's web brower may 201 download the message, it must first request a "single use only" 202 shared secret. 204 The exact technique for requesting the One Time Password is 205 beyond the scope of this document. However, the request from the 206 authentication service to the agent domain SHOULD contain an 207 account or avatar name known to the agent domain and SHOULD be 208 communicated over a secure channel. 210 3. One Time Password Response The agent domain responds with a One 211 Time Password. The password SHOULD be a sequence of unguessable 212 octets, thought the exact encoding and transport of the request 213 is beyond the scope of this document. 215 4. Client Application Launch Download After the One Time Password is 216 passed from the agent domain to the authorization service, it is 217 included in the Client Application Launch Message along with an 218 account or avatar identifier, a login URI for the agent domain 219 and an initial region URI indicating the avatar's initial 220 location in the virtual world. 222 5. Web Browser Launches Client Application When the user's web 223 browser receives the Client Application Launch Message, it 224 forwards the contents of the message AND the message's MIME type 225 to the registered Client Application. 227 6. OGP Authentication In response to receipt of the Client 228 Application Launch Message, the client application uses the 229 information in the message to begin the OGP Authentication 230 process and initial placement of the user's avatar in the virtual 231 world. 233 4. IANA Considerations 235 In accordance with [RFC5226], this document registers the following 236 mime types: 238 application/ogpcal+xml 240 application/ogpcal+json 242 application/ogpcal+binary 244 See the MIME Type Registrations section (Section 5) below for 245 detailed information on MIME Type registrations. 247 5. MIME Type Registrations 249 This section provides media-type registration applications (as per 250 RFC 4288 [RFC4288].) 252 5.1. MIME Type Registration for application/ogpcal+xml 254 To: ietf-types@iana.org 256 Subject: Registration of media type application/ogpcal+xml 258 Type name: application 260 Subtype name: ogpcal+xml 262 Required Parameters: none 264 Optional Parameters: none 266 Encoding Considerations: The Extensible Markup Language (XML) 267 specification allows for the use of multiple character sets. The 268 character set used to encode the body of the message is defined 269 as part of the XML header. If no character set is indicated in 270 the XML header, compliant systems MUST assume UTF-8. 272 Security Considerations: The OGP Client Application Launch Request 273 Message contains sensitive information. Compliant systems SHOULD 274 ensure the confidentialty of the communications media between the 275 web authentication service and the OGP agent domain as well as 276 that between the web authentication service and the user's web 277 browser. 279 Interoperability Considerations: While it is possible for compliant 280 implementations to specify the use of character sets other than 281 UTF-8, such systems MUST accept UTF-8 input and SHOULD generate 282 UTF-8 output. 284 Published specification: this specification. 286 Applications that use this media type: Virtual world, tele-presence 287 and content management systems related to "virtual reality" 288 systems. 290 Additional Information: 292 Magic Number(s): none 294 File Extension: calx 296 Macintosh File Type Code(s): CALX 298 Person & email address to contact for further information: Meadhbh 299 Hamrick 301 Intended Usage: COMMON 303 Author: IESG 305 Change Controller: IESG 307 5.2. MIME Type Registration for application/ogpcal+json 309 To: ietf-types@iana.org 311 Subject: Registration of media type application/ogpcal+json 313 Type name: application 315 Subtype name: ogpcal+json 317 Required Parameters: none 319 Optional Parameters: none 321 Encoding Considerations: Use of UTF-8 is Mandatory RFC 4627 : The 322 application/json Media Type for JavaScript Object Notation (JSON) 323 [RFC4627] allows the use of UTF-8, UTF-16 and UTF-32. This 324 specification REQUIRES the use of UTF-8. 326 Security Considerations: The OGP Client Application Launch Request 327 Message contains sensitive information. Compliant systems SHOULD 328 ensure the confidentialty of the communications media between the 329 web authentication service and the OGP agent domain as well as 330 that between the web authentication service and the user's web 331 browser. 333 Interoperability Considerations: Note that unlike RFC 4627, this 334 specification REQUIRES the use of UTF-8. 336 Published specification: This specification. 338 Applications that use this media type: Virtual world, tele-presence 339 and content management systems related to "virtual reality" 340 systems. 342 Additional Information: 344 Magic Number(s): none 346 File Extension: calj 348 Macintosh File Type Code(s): CALJ 350 Person & email address to contact for further information: Meadhbh 351 Hamrick 353 Intended Usage: COMMON 355 Author: IESG 357 Change Controller: IESG 359 5.3. MIME Type Registration for application/ogpcal+binary 361 To: ietf-types@iana.org 363 Subject: Registration of media type application/ogpcal+binary 365 Type name: application 367 Subtype name: ogpcal+binary 369 Required Parameters: none 371 Optional Parameters: none 373 Encoding Considerations: LLSD Binary Serialization REQUIRES the use 374 of binary content-transfer-encoding Section 5 of RFC 2045 [RFC2045] 375 describes the binary Content-Transfer-Encoding header field. 376 This specification REQUIRES the use of this header to alert 377 intermediary systems that information being included in the 378 message should be interpreted as binary data with no end-of-line 379 semantics which could be considerably longer than allowed in an 380 RFC 821 transport. 382 Security Considerations: The OGP Client Application Launch Request 383 Message contains sensitive information. Compliant systems SHOULD 384 ensure the confidentialty of the communications media between the 385 web authentication service and the OGP agent domain as well as 386 that between the web authentication service and the user's web 387 browser. 389 Interoperability Considerations: none 391 Published specification: This specification. 393 Applications that use this media type: Virtual world, tele-presence 394 and content management systems related to "virtual reality" 395 systems. 397 Additional Information: 399 Magic Number(s): none 401 File Extension: calb 403 Macintosh File Type Code(s): CALB 405 Person & email address to contact for further information: Meadhbh 406 Hamrick 408 Intended Usage: COMMON 410 Author: IESG 412 Change Controller: IESG 414 6. Security Considerations 416 Security considerations for this specification are, fortunately, 417 either simple or beyond the scope of this document. RFC 3552 418 [RFC3552] describes several aspects to use when evaluating the 419 security of a specification or implementation. The authors believe 420 most common security concerns users of this specification will 421 encounter are more appropriately considered as transport, network or 422 link layer issues. Or, as higher level "application security" 423 issues. 425 7. References 427 7.1. Normative References 429 [I-D.hammer-oauth] 430 Hammer-Lahav, E. and B. Cook, "The OAuth Core Protocol", 431 draft-hammer-oauth-02 (work in progress), March 2009. 433 [I-D.hamrick-ogp-auth] 434 Chu, T., Hamrick, M., and M. Lentczner, "Open Grid 435 Protocol: Authentication", draft-hamrick-ogp-auth-00 (work 436 in progress), March 2009. 438 [OPENID] OpenID Foundation, "OpenID Authentication 2.0 - Final", 439 2007. 441 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 442 Extensions (MIME) Part One: Format of Internet Message 443 Bodies", RFC 2045, November 1996. 445 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 446 Extensions (MIME) Part Two: Media Types", RFC 2046, 447 November 1996. 449 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 450 Requirement Levels", BCP 14, RFC 2119, March 1997. 452 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 453 Registration Procedures", BCP 13, RFC 4288, December 2005. 455 [RFC4627] Crockford, D., "The application/json Media Type for 456 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 458 7.2. Informative References 460 [I-D.hamrick-llsd] 461 Brashears, A., Hamrick, M., and M. Lentczner, "Linden Lab 462 Structured Data", 2008. 464 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 465 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 466 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 468 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 469 Text on Security Considerations", BCP 72, RFC 3552, 470 July 2003. 472 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 473 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 474 May 2008. 476 Authors' Addresses 478 Meadhbh Siobhan Hamrick 479 Linden Research, Inc. 480 945 Battery St. 481 San Francisco, CA 94111 482 US 484 Phone: +1 650 283 0344 485 Email: infinity@lindenlab.com 487 John Hurliman 488 Intel Corporation 489 3600 Juliette Lane 490 Santa Clara, CA 95051 491 US 493 Email: john.hurliman@intel.com