I didn't expect to see SD-JWT as a "proposed work item" on the SPICE BoF agenda because its appropriateness to be and stay in the OAuth WG had been discussed on list (e.g., https://mailarchive.ietf.org/arch/msg/oauth/6qjAsqLwyp5WoxqY3dVv8SJ5nVM/) and SD-JWT wasn't mentioned in the SPICE BoF request https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/03/
On Wed, Nov 1, 2023 at 5:21 AM Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Hi all, > > > I am a bit puzzled by the response Pam and I received when putting the > agenda for the SPICE BOF together. It appears that most people have not > paid attention to the discussions during the last few months. > > > Let me try to get you up to speed. So, here is my summary. > > > The OAuth working group has seen a lot of interest in the context of the > SD-JWT/VC work and there have been complaints about the three WG sessions > we scheduled at the last IETF meeting. (FWIW neither Rifaat nor I > understood why we received these complaints given that people asked us for > more slots. But that's another story...) > > > The SD-JWT/VC work is architecturally different to the classical OAuth > (which is not a problem) but raises questions about the scope of the work > done in the OAuth working group, as defined by the charter. The charter of > a group is a "contract" with the steering committee (IESG) about the work > we are supposed to be doing. There is the expectation that the work > described in the charter and in the milestones somehow matches the work the > group is doing (at least to some approximation). See also the mail from > Roman to the OAuth list for the type of questions that surfaced: > https://mailarchive.ietf.org/arch/msg/oauth/a_MEz2SqU7JYEw3gKxKzSrRlQFA/ > > > In time for the Prague IETF meeting a BOF request (with the shiny name > SPICE, see > https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/) > was submitted. It was subsequently approved by the IESG. SPICE aims to > cover the scope of the SD-JWT/VC work (plus work on defining the CWT-based > counterparts) -- my rough summary; details are here: > https://github.com/transmute-industries/ietf-spice-charter/blob/main/charter.md > > > This BOF request again raised questions about the scope and the > relationship with OAuth, see Roman's note here: > https://mailarchive.ietf.org/arch/msg/spice/Aoe86A0x6bezllwx17Xd5TOQ3Pc/ > > > Now, we are in the final stages of preparing the BOF for the Prague IETF > and in the agenda preparation we repeately get asked the same question: > > > "Has the transfer of some of the OAuth documents already been agreed?" > > > The answer is "no". Nothing has been agreed. The purpose of the BOF is to > find this agreement. > > > So, if you have an opinion whether some of the OAuth documents (in > particular draft-ietf-oauth-sd-jwt-vc, > draft-ietf-oauth-selective-disclosure-jwt, draft-ietf-oauth-status-list) > should move to a new working group then you should speak up **now**. > > > The SPICE BOF (and the WIMSE BOF) will happen on Tuesday next week. The > first OAuth WG session happens shortly afterwards (also on Tuesday). The > outcome of the BOF(s) will guide us in our discussion about re-chartering > the OAuth working group (which is an item on the OAuth agenda, see > https://datatracker.ietf.org/meeting/118/materials/agenda-118-oauth-03). > > > Rifaat, Pam and I are mediators in this process and therefore we rely on > your input. Since you have to do the work, you should think about where you > want to do it. > > > Ciao > > Hannes > > > PS: A process-related note. If you are author of a working group document > you are working for the group. With the transition from an individual > document to a working group document you have relinquished control to the > group. While your opinion is important, it has the same weight as the > opinion of any other working group participant. The theme is "We reject: > kings, presidents, and voting. We believe in: rough consensus and running > code". > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
