Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis authentication framework
On 2012-07-23 00:33, Stephen Farrell wrote: Hi all, I'd like to check that some recent minor changes to this document [1] don't cause technical or process-grief. The version [2] of the oauth bearer draft that underwent IETF LC and IESG evaluation had a normative dependency on the httpbis wg's authentication framework. [3] After resolving IESG discuss positions the authors and wg chairs felt that it would be better to replace the normative reference to the httpbis wg draft [3] with one to RFC 2617 [4] so that the OAuth drafts wouldn't be held in the RFC editor queue waiting on the httpbis wg to get done. I believe there is no impact on interop resulting from this change but there has been some disagreement about making it and how it was made. After some offlist discussion I think we now have an RFC editor note [5] that means that the current scheme of referring to RFC 2617 is ok. ... Quoting: NEW: The "Authorization" header for this scheme follows the usage of the Basic scheme [RFC2617]. Note that, as with Basic, this is compatible with the the general authentication framework being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], though does not follow the preferred practice outlined therein in order to reflect existing deployments. The syntax for Bearer credentials is as follows: That helps, but it still hides the fact that the syntax is not compatible with the RFC 2617 framework. Also, s/header/header field/ Proposal: "The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617], but that it is compatible with the the general authentication framework being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred practice outlined therein in order to reflect existing deployments. The syntax for Bearer credentials is as follows: ..." Best regards, Julian ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis authentication framework
Hiya, On 07/23/2012 08:56 AM, Julian Reschke wrote: > On 2012-07-23 00:33, Stephen Farrell wrote: >> >> Hi all, >> >> I'd like to check that some recent minor changes to this >> document [1] don't cause technical or process-grief. >> >> The version [2] of the oauth bearer draft that underwent >> IETF LC and IESG evaluation had a normative dependency >> on the httpbis wg's authentication framework. [3] >> >> After resolving IESG discuss positions the authors and >> wg chairs felt that it would be better to replace the >> normative reference to the httpbis wg draft [3] with one >> to RFC 2617 [4] so that the OAuth drafts wouldn't be held >> in the RFC editor queue waiting on the httpbis wg to get >> done. >> >> I believe there is no impact on interop resulting from >> this change but there has been some disagreement about >> making it and how it was made. After some offlist discussion >> I think we now have an RFC editor note [5] that means that >> the current scheme of referring to RFC 2617 is ok. >> ... > > Quoting: > >> NEW: >> >>The "Authorization" header for this scheme follows the usage >>of the Basic scheme [RFC2617]. Note that, as with Basic, this >>is compatible with the the general authentication framework >>being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], though >>does not follow the preferred practice outlined therein in >>order to reflect existing deployments. The syntax for Bearer >>credentials is as follows: > > That helps, but it still hides the fact that the syntax is not > compatible with the RFC 2617 framework. "hides" isn't a goal:-) > Also, s/header/header field/ > > Proposal: > > "The syntax of the "Authorization" header field for this scheme follows > the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note > that, as with Basic, it does not conform to the generic syntax defined > in Section 1.2 of [RFC2617], but that it is compatible with the the > general authentication framework being developed for HTTP 1.1 > [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred > practice outlined therein in order to reflect existing deployments. > > The syntax for Bearer credentials is as follows: ..." That looks better. I've updated the RFC editor note to use your text. Thanks, S. > > Best regards, Julian > > > > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis authentication framework
Thank you Stephen for getting this RFC Editor note in. On Jul 23, 2012, at 1:33 AM, Stephen Farrell wrote: > > Hi all, > > I'd like to check that some recent minor changes to this > document [1] don't cause technical or process-grief. > > The version [2] of the oauth bearer draft that underwent > IETF LC and IESG evaluation had a normative dependency > on the httpbis wg's authentication framework. [3] > > After resolving IESG discuss positions the authors and > wg chairs felt that it would be better to replace the > normative reference to the httpbis wg draft [3] with one > to RFC 2617 [4] so that the OAuth drafts wouldn't be held > in the RFC editor queue waiting on the httpbis wg to get > done. > > I believe there is no impact on interop resulting from > this change but there has been some disagreement about > making it and how it was made. After some offlist discussion > I think we now have an RFC editor note [5] that means that > the current scheme of referring to RFC 2617 is ok. > > If there are no problems with this in the next week I'll > move the document [1] along as-is. > > Thanks, > Stephen. > > [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer > [2] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-18 > [3] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth > [4] http://tools.ietf.org/html/rfc2617 > [5] https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/writeup/ > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] No design team call today
given the IETF meeting next week. Please read through the WG documents to be properly prepared. Ciao Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Meeting slot for the Vancouver IETF meeting requested
Hannes, Derek, Would it possible to postpone presentation/discussion of the Dyn-Reg draft (Dynamic Client Registration Protocol) to the Atlanta/November IETF meeting? The reason is that none of the proposers will be attending the Vancouver IETF in-person. Thanks. /thomas/ __ > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Hannes Tschofenig > Sent: Sunday, July 15, 2012 1:58 PM > To: John Bradley > Cc: oauth@ietf.org WG > Subject: Re: [OAUTH-WG] Meeting slot for the Vancouver IETF meeting > requested > > Hi all, > > I have uploaded an agenda for the meeting. > > I am assuming that all these items do not require discussion time > anymore: > * draft-ietf-oauth-assertions > * draft-ietf-oauth-saml2-bearer > * draft-ietf-oauth-urn-sub-ns > * draft-ietf-oauth-v2 > * draft-ietf-oauth-v2-bearer > > Hence, we can focus on the new items. As discussed in the mail below I > put a separate slot for discussion of the holder-of-the-key/MAC token > security discussion on the agenda. I would suggest that a couple of us > meeting during the IETF week to work together on a presentation that > provides some concrete suggestions for next steps to the rest of the > group. > > I also put the following persons on the spot for the presentations of > working group items: > > - OAuth Dynamic Client Registration Protocol (Thomas) > - JSON Web Token (JWT) (Mike) > - JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 (Mike) > - Token Revocation (Torsten) > - SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (Brian) > - OAuth Use Cases (Zachary) > > Let me know if you want someone else to give the presentation. > > As a preparation for the meeting it would be good if you could > (a) identify the open issues with your document, and > (b) find one or two reviewers to have a look at your document during > the next two weeks. > > Ciao > Hannes > > On Jul 15, 2012, at 5:59 PM, John Bradley wrote: > > > Yes we need to get clearer on the the threats and use cases. > > > > I think Phil Hunt has some though there is likely overlap. > > > > Part of the problem with MAC was people never agreed on the threats > it was mitigating. > > > > I can present something or coordinate with Tony or Phil. > > > > John B. > > > > On 2012-07-14, at 9:36 PM, Anthony Nadalin wrote: > > > >> How about a few min on proof-of-possession requirements? I can > present our use cases and requirements > >> > >> -Original Message- > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > Behalf Of Mike Jones > >> Sent: Friday, July 13, 2012 4:42 PM > >> To: Hannes Tschofenig; oauth@ietf.org WG > >> Subject: Re: [OAUTH-WG] Meeting slot for the Vancouver IETF meeting > requested > >> > >> I'm willing to do 5 minutes on the status of the Core and Bearer > documents. > >> > >> I'm willing to give an update on JWT and the JWT Bearer - probably > 15 minutes. It's probably good that we're a day after the JOSE WG > meeting, given the JWT dependency upon the JOSE specs. > >> > >> I'm willing to be part of a discussion on the Assertions draft, but > would appreciate doing this with Brian and/or Chuck - I'm guessing 15 > minutes for that as well. (I'm not certain this will be needed, but > I'd like to review the recent changes before saying that it's not.) > >> > >> Looking forward to seeing many of you in Vancouver! > >> > >>-- Mike > >> > >> -Original Message- > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > Behalf Of Hannes Tschofenig > >> Sent: Saturday, June 02, 2012 12:46 AM > >> To: oauth@ietf.org WG > >> Subject: [OAUTH-WG] Meeting slot for the Vancouver IETF meeting > requested > >> > >> Hi all, > >> > >> I have requested a 2,5 hour slot for the upcoming meeting. > >> > >> While the next meeting is still a bit away it is nevertheless useful > to hear > >> * whether you plan to attend the next meeting, and > >> * whether you want to present something. > >> > >> I could imagine that these documents will be discussed: > >> * draft-ietf-oauth-dyn-reg > >> * draft-ietf-oauth-json-web-token > >> * draft-ietf-oauth-jwt-bearer > >> * draft-ietf-oauth-revocation > >> * draft-ietf-oauth-use-cases > >> > >> To the draft authors of these docuemnts: Please think about the open > issues and drop a mail to the list so that we make some progress > already before the face-to-face meeting. > >> > >> I am assume that the following documents do not require any > discussion time at the upcoming IETF meeting anymore: > >> * draft-ietf-oauth-assertions > >> * draft-ietf-oauth-saml2-bearer > >> * draft-ietf-oauth-urn-sub-ns > >> * draft-ietf-oauth-v2 > >> * draft-ietf-oauth-v2-bearer > >> > >> Ciao > >> Hannes > >> > >> ___ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > >> > >> > >> ___
[OAUTH-WG] Document Action: 'An IETF URN Sub-Namespace for OAuth' to Informational RFC (draft-ietf-oauth-urn-sub-ns-06.txt)
The IESG has approved the following document: - 'An IETF URN Sub-Namespace for OAuth' (draft-ietf-oauth-urn-sub-ns-06.txt) as Informational RFC This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-oauth-urn-sub-ns/ Technical Summary This document establishes an IETF URN Sub-namespace for use with OAuth related specifications. Working Group Summary There was no significant controversy in the working group, to my knowledge. I suppose there really wasn't an argument about how to spell "oauth". Document Quality The document is as long and short as it needs to be to register a URN entry with IANA. Personnel Document Shepherd: Derek Atkins Responsible AD: Stephen Farrell IANA Note OLD: - Establishment of a new registry for URNs subordinate to urn:ietf:params:oauth. Instructions for a registrant to request the registration of such a URN are in Section 3. NEW: - Establishment of a new registry called the "oAuth URI" registry for URNs subordinate to urn:ietf:params:oauth. The registry "oAuth URI" will be added to a new top-level registry called "OAuth Parameters" as defined by draft-ietf-oauth-v2. Instructions for a registrant to request the registration of such a URN are in Section 3. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
>> Eran Hammer has decided to step down as Editor of the OAuth Core >> specification. I would like to personally thank Eran for all his years >> of hard work and effort to the draft as well as to the working group at >> large. > > As former chair, I want to add my thanks. Eran has done a *lot* of > work on the OAuth documents over the last years, and deserves much > appreciation for it. Late to the party, but I also want to publicly thank Eran for what has been a nearly thankless job over the last few years. It's very difficult wrangling a pack of angry nerds and trying to express a group consensus, to be sure. In the end I think we have a specification document that is readable, makes sense, and will ultimately be one of the most useful protocols on the internet over the next few years. I know it hasn't been easy, and things probably could have gone a lot better than they did, but even still: Thank you. -- Justin ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
+1 Well said Justin. And thank you Eran. On Mon, Jul 23, 2012 at 11:05 AM, Richer, Justin P. wrote: >>> Eran Hammer has decided to step down as Editor of the OAuth Core >>> specification. I would like to personally thank Eran for all his years >>> of hard work and effort to the draft as well as to the working group at >>> large. >> >> As former chair, I want to add my thanks. Eran has done a *lot* of >> work on the OAuth documents over the last years, and deserves much >> appreciation for it. > > Late to the party, but I also want to publicly thank Eran for what has been a > nearly thankless job over the last few years. It's very difficult wrangling a > pack of angry nerds and trying to express a group consensus, to be sure. In > the end I think we have a specification document that is readable, makes > sense, and will ultimately be one of the most useful protocols on the > internet over the next few years. I know it hasn't been easy, and things > probably could have gone a lot better than they did, but even still: Thank > you. > > -- Justin > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
Indeed. Many thanks to Eran! On 7/23/12 11:08 AM, Brian Campbell wrote: > +1 > > Well said Justin. And thank you Eran. > > On Mon, Jul 23, 2012 at 11:05 AM, Richer, Justin P. wrote: Eran Hammer has decided to step down as Editor of the OAuth Core specification. I would like to personally thank Eran for all his years of hard work and effort to the draft as well as to the working group at large. >>> >>> As former chair, I want to add my thanks. Eran has done a *lot* of >>> work on the OAuth documents over the last years, and deserves much >>> appreciation for it. >> >> Late to the party, but I also want to publicly thank Eran for what has been >> a nearly thankless job over the last few years. It's very difficult >> wrangling a pack of angry nerds and trying to express a group consensus, to >> be sure. In the end I think we have a specification document that is >> readable, makes sense, and will ultimately be one of the most useful >> protocols on the internet over the next few years. I know it hasn't been >> easy, and things probably could have gone a lot better than they did, but >> even still: Thank you. >> >> -- Justin >> ___ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
+1 Peter Saint-Andre schrieb: Indeed. Many thanks to Eran! On 7/23/12 11:08 AM, Brian Campbell wrote: > +1 > > Well said Justin. And thank you Eran. > > On Mon, Jul 23, 2012 at 11:05 AM, Richer, Justin P. wrote: Eran Hammer has decided to step down as Editor of the OAuth Core specification. I would like to personally thank Eran for all his years of hard work and effort to the draft as well as to the working group at large. >>> >>> As former chair, I want to add my thanks. Eran has done a *lot* of >>> work on the OAuth documents over the last years, and deserves much >>> appreciation for it. >> >> Late to the party, but I also want to publicly thank Eran for what has been >> a nearly thankless job over the last few years. It's very difficult >> wrangling a pack of angry nerds and trying to express a group consensus, to >> be sure. In the end I think we have a specification document that is >> readable, makes sense, and will ultimately be one of the most useful >> protocols on the internet over the next few years. I know it hasn't been >> easy, and things probably could have gone a lot better than they did, but >> even still: Thank you. >> >> -- Justin >>_ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >_ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
I also want to thank Eran for all of his work. We would not have OAuth without his contributions. John B. On 2012-07-23, at 1:14 PM, Torsten Lodderstedt wrote: > +1 > > > > Peter Saint-Andre schrieb: > Indeed. Many thanks to Eran! > > On 7/23/12 11:08 AM, Brian Campbell wrote: > > +1 > > > > Well said Justin. And thank you Eran. > > > > On Mon, Jul 23, 2012 at 11:05 AM, Richer, Justin P. > > wrote: > Eran Hammer has decided to step down as Editor of the OAuth Core > specification. I would like to personally thank Eran for all his years > of hard work and effort to the draft as well as to the working group at > large. > >>> > >>> As former chair, I want to add my thanks. Eran has done a *lot* of > >>> work on the OAuth documents over the last years, and deserves much > >>> appreciation for it. > >> > >> Late to the party, but I also want to publicly thank Eran for what has > >> been a nearly th > ankless > job over the last few years. It's very difficult wrangling a pack of angry > nerds and trying to express a group consensus, to be sure. In the end I think > we have a specification document that is readable, makes sense, and will > ultimately be one of the most useful protocols on the internet over the next > few years. I know it hasn't been easy, and things probably could have gone a > lot better than they did, but even still: Thank you. > >> > >> -- Justin > >> > > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth smime.p7s Description: S/MIME cryptographic signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Change in editorship of OAuth Core Spec
Thanks Eran, can't be an easy job :) On 23 July 2012 18:20, John Bradley wrote: > I also want to thank Eran for all of his work. > > We would not have OAuth without his contributions. > > John B. > On 2012-07-23, at 1:14 PM, Torsten Lodderstedt wrote: > > +1 > > > > Peter Saint-Andre schrieb: >> >> Indeed. Many thanks to Eran! >> >> On 7/23/12 11:08 AM, Brian Campbell wrote: >> > +1 >> > >> > Well said Justin. And thank you Eran. >> > >> > On Mon, Jul 23, 2012 at 11:05 AM, Richer, Justin P. >> > wrote: >> Eran Hammer has decided to step down as Editor of the OAuth Core >> specification. I would like to personally thank Eran for all his years >> of hard work and effort to the draft as well as to the working group at >> large. >> >>> >> >>> As former chair, I want to add my thanks. Eran has done a *lot* of >> >>> work on the OAuth documents over the last years, and deserves much >> >>> appreciation for it. >> >> >> >> Late to the party, but I also want to publicly thank Eran for what has >> >> been a nearly th >> ankless >> job over the last few years. It's very difficult wrangling a pack of angry >> nerds and trying to express a group consensus, to be sure. In the end I >> think we have a specification document that is readable, makes sense, and >> will ultimately be one of the most useful protocols on the internet over the >> next few years. I know it hasn't been easy, and things probably could have >> gone a lot better than they did, but even still: Thank you. >> >> >> >> -- Justin >> >> >> -- >> >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth >> > >> -- >> >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> -- >> >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> ___ > > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- -- Never send sensitive or private information via email unless it is encrypted. http://www.gnupg.org ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
