Hello OAuth, I wanted to share my current mental model for SPICE and WIMSE and their relation to OAuth, and ask authors of the "verifiable credential related work items at oauth" if they agree or disagree, or how they feel about the framing.
I'm not attached to any of what I am about to say, so feel free to throw rocks. Our recent meetings related to SPICE have narrowed the proposed charter to focus on applying JWT / CWT or JOSE and COSE more generally to the 3 party model. If you are an author of an OAuth work item, targeting the 3 party model, do you like the idea of future work like that maybe happening at a dedicated "credentials" group at IETF? Are there any work items in OAuth that might be worth referencing in the next revision of the proposed SPICE charter? If so, please let me know and I am happy to include them as examples of the 3 party model at IETF that are already underway. We seem to think that SPICE should stay silent on "credential transports" for the time being, and work with OAUTH, W3C, OIDF for the cases where credentials need to move, and not try to define any specific standards related to transports. This point is still being debated, and the main remaining item seems to be if a "mediator" is needed, and what that might mean for credential transports. You can review the latest discussions here: https://mailarchive.ietf.org/arch/browse/spice Onto WIMSE... There was some great discussion regarding OAuth and DPOP recently: https://mailarchive.ietf.org/arch/msg/wimse/apRED5S7FnLdwjQJBN8Iu2Af9yU I think this shows that perhaps some of the initial "credential transport" related work that was considered as part of SPICE might be better handled at WIMSE... but I could be reading this incorrectly. In summary: Roman asked a while back what items might be addressed in a future OAuth recharter, and there was some pushback on "working on the 3 party model" or considering other transports (handling higher volume data flows related to workload identity)... I can see other places emerging that might be good to do that work, and I wonder if folks here agree or have comments on how this is progressing... .... and I am also still very interested in what the next charter for OAuth might focus on. Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
