On Wed, Jan 20, 2016 at 12:37 PM, Manger, James < james.h.man...@team.telstra.com> wrote:
> Accepting draft-jones-oauth-amr-values-03 is almost okay as a starting > point for work. > +1 for adoption. > I would like to see significant changes though: > > * The "amr_values" parameter should be dropped; it just encourages brittle > designs as section 4 "relationship to acr" and section 6 "security > considerations" already warn about. There is no need to enable that > brittleness. If someone really wants this functionality they could put an > amr value in the "acr_values" field as a hack. > I agree that it seems to encourage brittle designs. Why would the OP want to use "otp" when it has U2F on file for the same user, for example? But come to think of it, is any use of "amr" non-brittle? I guess the broader ones like "user", "rba", "mca" and "mfa" are a little more future-proof. I'm very keen to hear some concrete use-cases for this parameter. * The model for amr_values is wrong as well. For example, > "amr":["pwd","otp"] could be a common response that you want, but you > cannot ask for that with amr_values since amr_values="pwd otp" actually > means just "pwd", or just "otp" is okay (and just "pwd" is your preference). > > * Registering values on a "Specification Required" basis is over-the-top. > This doc registers 8 amr values with just a few words as each value's > "specification" (eg "eye": retina scan biometric). Each of the other 7 amr > values are "specified" in a few lines with a reference (or two). A "First > Come First Served" basis is probably sufficient, with the "specification" > just the description in the registry (that can include references). > I agree, "Specification Required" does seem like a high bar. > -- > James Manger > > > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Tuesday, 19 January 2016 10:48 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] Call for Adoption: Authentication Method Reference > Values > > Hi all, > > this is the call for adoption of Authentication Method Reference Values, > see > https://tools.ietf.org/html/draft-jones-oauth-amr-values-03 > > Please let us know by Feb 2nd whether you accept / object to the adoption > of this document as a starting point for work in the OAuth working group. > > Note: The feedback during the Yokohama meeting was inconclusive, namely > 9 for / zero against / 6 persons need more information. > > You feedback will therefore be important to find out whether we should do > this work in the OAuth working group. > > Ciao > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
