Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Melvin Carvalho 
On 18 February 2016 at 14:40, Hannes Tschofenig 
wrote:

> Hi all,
>
> This is a Last Call for comments on the  OAuth 2.0 Discovery specification:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01
>
> Since this document was only adopted recently we are running this last
> call for **3 weeks**.
>
> Please have your comments in no later than March 10th.
>

Just finished reviewing this.  Since it's 1 day past the comments dealine,
I'll just leave some high level thoughts, based on how I may implement some
of this.  No need to respond.

1. I'd like to see a path supporting the increasingly popular w3c REC, JSON
LD.

2. General feedback I've had since the inception of webfinger was that it's
had decreasing adoption.  Perhaps an idea to remove reference.  Usage stats
would be interesting if public.

3. I feel the mandatory-ness of TLS/SSL slightly over the top.  I dont
think we are at HTTPS everywhere yet, and it's still a pain for the long
tail of developers.

Ill be interested to see this work in action.

>
>
> Ciao
> Hannes & Derek
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 has won the 2013 European Identity Award

2013-05-15 Thread Melvin Carvalho 
On 15 May 2013 19:24, Mike Jones  wrote:

>  I’m pleased to report that OAuth 2.0 has won the 2013 European Identity
> Award for Best Innovation/New Standard.  I was honored to accept the award
> from Kuppinger Cole at the 2013 European Identity and Cloud 
> Conferenceon behalf of all who 
> contributed to creating the OAuth 2.0 standards [RFC
> 6749 , RFC 
> 6750]
> and building solutions with them.
>
> ** **
>
> (I also posted this announcement at http://self-issued.info/?p=1026.)
>

Congrats!


> 
>
> ** **
>
> -- Mike
>
> ** **
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

2012-04-20 Thread Melvin Carvalho 
On 20 April 2012 16:40, Michael Thomas  wrote:

> On 04/20/2012 07:17 AM, Derek Atkins wrote:
>
>> Paul,
>>
>> "Paul E. Jones"  writes:
>>
>>  Tim,
>>>
>>> I do not agree that it's harmful. If I removed the WF discussion off the
>>> table, I'm still having a hard time buying into everything you said in
>>> the
>>> blog post.
>>>
>>> I implement various web services, largely for my own use.  Usually, I
>>> implement all of them in XML, JSON, plain text (attribute/value pairs),
>>> AND
>>> JavaScript (for JSONP).  For simple services, it's not hard.  I do it
>>> because I sometimes have different wants/desires on the client side.
>>>  (For
>>> more complex ones, I use XML.)
>>>
>> As an individual (and not the chair of OAUTH) I believe that the server
>> should be allowed, no encouraged, to support multiple formats for data
>> retrieval.  I also believe that clients should be allowed to choose only
>> one.  I am fine with JSON being Mandatory to Implement.  I am NOT okay
>> with making it the only one, and I am even less okay with mandating it
>> is the ONLY one.  I would say MUST JSON, MUST (or possibly SHOULD -- you
>> can convince me either way) XML, and MAY for anything else that people
>> feel stronly about (although I feel in 2012 XML and JSON are the two
>> best).  I also feel it is okay to say that a client MUST implement one
>> of JSON or XML, and MAY implement more.
>>
>>
>>
> Why not MUST ASN.1 while you're at it? JSON has won in case
> you'all haven't noticed it.
>

+1

Also bear in mind that when people say "XML" here, it's a specific subset
of XML namely "application/xrd+xml".


> Mike
>
> __**_
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/**listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

2012-04-19 Thread Melvin Carvalho 
On 19 April 2012 23:12, Melvin Carvalho  wrote:

>
>
> On 19 April 2012 20:26, Eran Hammer  wrote:
>
>> #1 as John Panzer identified, allowing the server to control its
>> deployment and supporting HTTP redirects is critical.
>>
>
> +1
>
>
>> #2 JSON is better, which one is required is less of on issue but more of
>> a best practices item.
>>
>
> Happy with this comment, and a +1 for JSON only
>
>
>>
>> I'll add:
>>
>> * Highly cachable
>>
>
> +1 tho I think most CSN dont cache a 303 redirect
>

Apologies CSN should read CDN


>
>
>> * Optimize for large providers, reducing the need to make repeated
>> requests when the information is mostly following a template on the server
>> side
>>
>
> +1
>
>
>> * Ability to provide discovery on resources, not users or any other
>> subset (emails, etc.)
>>
>
> There's a subtlety here and that's the difference in HTML between "rel"
> and "rev".
>
> A forward or reverse lookup.  Forward is a natural way to look things up,
> eg you give a URL and you get a document.  But something like google search
> is actually a reverse index, you give it words and you get back URLs for
> documents.  Initially hard to get your head round, but in practice can be
> incredibly practical and useful.
>
> Given a triple such as (subject verb object)
>
>   email  <mailto:user@host>
>
> Is your lookup based on the subject (WF) or the object (SWF)?
>
> If subject then you need something there.  However, it need not be an
> acct: URI
>
> It could be a URN eg
>
> urn:acct:user@host  (no new uri scheme needed)
>
> it could be a relative URI such as
>
> <#>  (which facebook do)
>
> This indicates a pointer to the top of the document
>
> It can even be blank
>
> <>
>
> The so-called 'blank node' in the linked data world, but then you're more
> reliant on a query language, such as SPARQL.
>
> I'm sure I havent covered every possibility.
>
> OR you can key off the Object
>
>   email <mailto:user@host>
>
> then return all key values assoicated with  which would be in
> the @subject position in the case of XRD/JRD or the @id position in the
> case of something like JSON LD
>
> It's quite confusing but essentially you are asking two very different
> things:
>
> 1) Give me all information where the subject is acct:user@host
>
> Which also means having to create a mapping, and educating every system
> what the subject of their email (or xmpp/sip/tel/twitter account) should
> be.  A potentially big task.  Im not saying it's wrong, but IMHO this is
> potentially big enough to fill a whole other standards document in itself.
>
> or
>
> 2) Give me all information for the user with email mailto:user@host
>
> Non disruptive
>
> I'm sorry If i have not explained this very well, but the difference
> between rev and rel confuses a lot of confusion in HTML, and that's
> essentially the subtlety here (forward vs reverse lookup)
>
>
>> * Security agnostic - leave it to HTTP, TLS, OAuth, etc.
>>
>
> +1
>
>
>> * HTTP compliant - doesn't invent it's own rediretion menthods or custom
>> headers, etc.
>>
>
> +1
>
>
>>
>> EH
>>
>> > -Original Message-
>> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> > Of Mike Jones
>> > Sent: Thursday, April 19, 2012 9:49 AM
>> > To: Murray S. Kucherawy; oauth@ietf.org WG; Apps Discuss
>> > Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web
>> > Discovery (SWD)
>> >
>> > There are two criteria that I would consider to be essential
>> requirements for
>> > any resulting general-purpose discovery specification:
>> >
>> > 1.  Being able to always discover per-user information with a single GET
>> > (minimizing user interface latency for mobile devices, etc.)
>> >
>> > 2.  JSON should be required and it should be the only format required
>> > (simplicity and ease of deployment/adoption)
>> >
>> > SWD already meets those requirements.  If the resulting spec meets those
>> > requirements, it doesn't matter a lot whether we call it WebFinger or
>> Simple
>> > Web Discovery, but I believe that the requirements discussion is
>> probably
>> > the most productive one to be having at this point - not the starting
>> point
>> > document.
>> >
>> >

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

2012-04-19 Thread Melvin Carvalho 
On 19 April 2012 20:26, Eran Hammer  wrote:

> #1 as John Panzer identified, allowing the server to control its
> deployment and supporting HTTP redirects is critical.
>

+1


> #2 JSON is better, which one is required is less of on issue but more of a
> best practices item.
>

Happy with this comment, and a +1 for JSON only


>
> I'll add:
>
> * Highly cachable
>

+1 tho I think most CSN dont cache a 303 redirect


> * Optimize for large providers, reducing the need to make repeated
> requests when the information is mostly following a template on the server
> side
>

+1


> * Ability to provide discovery on resources, not users or any other subset
> (emails, etc.)
>

There's a subtlety here and that's the difference in HTML between "rel" and
"rev".

A forward or reverse lookup.  Forward is a natural way to look things up,
eg you give a URL and you get a document.  But something like google search
is actually a reverse index, you give it words and you get back URLs for
documents.  Initially hard to get your head round, but in practice can be
incredibly practical and useful.

Given a triple such as (subject verb object)

  email  

Is your lookup based on the subject (WF) or the object (SWF)?

If subject then you need something there.  However, it need not be an acct:
URI

It could be a URN eg

urn:acct:user@host  (no new uri scheme needed)

it could be a relative URI such as

<#>  (which facebook do)

This indicates a pointer to the top of the document

It can even be blank

<>

The so-called 'blank node' in the linked data world, but then you're more
reliant on a query language, such as SPARQL.

I'm sure I havent covered every possibility.

OR you can key off the Object

  email 

then return all key values assoicated with  which would be in the
@subject position in the case of XRD/JRD or the @id position in the case of
something like JSON LD

It's quite confusing but essentially you are asking two very different
things:

1) Give me all information where the subject is acct:user@host

Which also means having to create a mapping, and educating every system
what the subject of their email (or xmpp/sip/tel/twitter account) should
be.  A potentially big task.  Im not saying it's wrong, but IMHO this is
potentially big enough to fill a whole other standards document in itself.

or

2) Give me all information for the user with email mailto:user@host

Non disruptive

I'm sorry If i have not explained this very well, but the difference
between rev and rel confuses a lot of confusion in HTML, and that's
essentially the subtlety here (forward vs reverse lookup)


> * Security agnostic - leave it to HTTP, TLS, OAuth, etc.
>

+1


> * HTTP compliant - doesn't invent it's own rediretion menthods or custom
> headers, etc.
>

+1


>
> EH
>
> > -Original Message-
> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> > Of Mike Jones
> > Sent: Thursday, April 19, 2012 9:49 AM
> > To: Murray S. Kucherawy; oauth@ietf.org WG; Apps Discuss
> > Subject: Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web
> > Discovery (SWD)
> >
> > There are two criteria that I would consider to be essential
> requirements for
> > any resulting general-purpose discovery specification:
> >
> > 1.  Being able to always discover per-user information with a single GET
> > (minimizing user interface latency for mobile devices, etc.)
> >
> > 2.  JSON should be required and it should be the only format required
> > (simplicity and ease of deployment/adoption)
> >
> > SWD already meets those requirements.  If the resulting spec meets those
> > requirements, it doesn't matter a lot whether we call it WebFinger or
> Simple
> > Web Discovery, but I believe that the requirements discussion is probably
> > the most productive one to be having at this point - not the starting
> point
> > document.
> >
> >   -- Mike
> >
> > -Original Message-
> > From: apps-discuss-boun...@ietf.org [mailto:apps-discuss-
> > boun...@ietf.org] On Behalf Of Murray S. Kucherawy
> > Sent: Thursday, April 19, 2012 9:32 AM
> > To: oauth@ietf.org WG; Apps Discuss
> > Subject: Re: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web
> > Discovery (SWD)
> >
> > By all means people should correct me if they think I'm wrong about
> this, but
> > so far from monitoring the discussion there seems to be general support
> for
> > focusing on WebFinger and developing it to meet the needs of those who
> > have deployed SWD, versus the opposite.
> >
> > Does anyone want to argue the opposite?
> >
> > -MSK, appsawg co-chair
> >
> > ___
> > apps-discuss mailing list
> > apps-disc...@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss
> >
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> ___
> apps

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

2012-04-19 Thread Melvin Carvalho 
On 19 April 2012 18:48, Mike Jones  wrote:

> There are two criteria that I would consider to be essential requirements
> for any resulting general-purpose discovery specification:
>
> 1.  Being able to always discover per-user information with a single GET
> (minimizing user interface latency for mobile devices, etc.)
>
> 2.  JSON should be required and it should be the only format required
> (simplicity and ease of deployment/adoption)
>
> SWD already meets those requirements.  If the resulting spec meets those
> requirements, it doesn't matter a lot whether we call it WebFinger or
> Simple Web Discovery, but I believe that the requirements discussion is
> probably the most productive one to be having at this point - not the
> starting point document.
>

+1

   -- Mike
>
> -Original Message-
> From: apps-discuss-boun...@ietf.org [mailto:apps-discuss-boun...@ietf.org]
> On Behalf Of Murray S. Kucherawy
> Sent: Thursday, April 19, 2012 9:32 AM
> To: oauth@ietf.org WG; Apps Discuss
> Subject: Re: [apps-discuss] [OAUTH-WG] Web Finger vs. Simple Web Discovery
> (SWD)
>
> By all means people should correct me if they think I'm wrong about this,
> but so far from monitoring the discussion there seems to be general support
> for focusing on WebFinger and developing it to meet the needs of those who
> have deployed SWD, versus the opposite.
>
> Does anyone want to argue the opposite?
>
> -MSK, appsawg co-chair
>
> ___
> apps-discuss mailing list
> apps-disc...@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>
>
> ___
> apps-discuss mailing list
> apps-disc...@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

2012-04-15 Thread Melvin Carvalho 
On 15 April 2012 08:21, Eran Hammer  wrote:

>  Tone aside, this is not the first time you distorted process and
> technical facts to suit your goals. Just look up some of our exchanges from
> a year ago and the transcript of the Prague meeting for highlights.
>

As stephen suggests, could we possibly continue this fascinating discussion
on apps discuss?

I know people are passionate about this issue, and that's a positive
thing.

But I think it probably would be most productive, if we could all try to
keep personal attacks to a minimum.


> 
>
> ** **
>
> EH
>
> ** **
>
> ** **
>
> ** **
>
> *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf
> Of *Mike Jones
> *Sent:* Friday, April 13, 2012 9:18 AM
> *To:* Blaine Cook
> *Cc:* oauth@ietf.org WG
>
> *Subject:* Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
>
>  ** **
>
> Hi Blaine.  I must admit, I’m pretty surprised by the tone of your reply.
> I’ll say up front that I have absolutely no problem with anyone disagreeing
> with me on a technical or tactical basis.  If you think I’m wrong, have at
> it.
>
> ** **
>
> But I am pretty shocked that you would decide to impugn my motives.  We’ve
> only met twice and both times I thought we had really useful and productive
> discussions about how to move digital identity on the Web forward –
> something I believe that we’re both passionate about.  You don’t really
> know me, though, which is apparent from your remarks below.  I believe that
> those who have worked with me for years would vouch that I am a forthright
> and evenhanded standards participant who listens to all points of view,
> tries to build a consensus that works, and produce quality results.
>
> ** **
>
> I thought about your note overnight and whether I should reply at all.
> I’m fine with give and take, but I believe that I need to say that if you
> read what you wrote below, I think you’ll agree that the tone you used was
> counter-productive and an apology is in order.
>
> ** **
>
> -- Mike
>
> ** **
>
> P.S.  I’ll address your technical points below in a separate note at some
> point – some I agree with and some I don’t.  But I felt that I needed to
> address my motives being questioned separately and first.  I hope we can
> both come out of this with a better understanding of one another and work
> together towards the important goals that we both share.
>
> ** **
>
> *From:* Blaine Cook [mailto:rom...@gmail.com]
> *Sent:* Thursday, April 12, 2012 3:41 PM
> *To:* Mike Jones
> *Cc:* Hannes Tschofenig; oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)
>
> ** **
>
> On 12 April 2012 17:51, Mike Jones  wrote:***
> *
>
> Thanks for asking these questions Hannes.  I'll first provide a brief
> feature comparison of Simple Web Discovery and WebFinger and then answer
> your questions.
>
> FEATURE COMPARISON
>
> RESULT GRANULARITY AND PRIVACY CHARACTERISTICS:  SWD returns the resource
> location(s) for a specific resource for a specific principal.  WebFinger
> returns all resources for the principal.  The example at
> http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03#section-3.2"Retrieving
>  a Person's Contact Information" is telling.  The WebFinger
> usage model seems to be "I'll get everything about you and then fish
> through it to decide what to do with it."  The protocol assumption that all
> WebFinger information must be public is also built into the protocol where
> the CORS response header "Access-Control-Allow-Origin: *" is mandated, per
> http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03#section-7.
>  The privacy characteristics of these approaches are very different.  (It's
> these very same privacy characteristics that led sysadmins to nearly
> ubiquitously disabling the fingerd service!)  Particularly for the OAuth
> use cases, narrow, scoped, and potentially permissioned responses seem
> preferable.
>
>  ** **
>
> This is absolutely false.
>
> ** **
>
> SWD provides no privacy whatsoever. SWD makes it somewhat harder to crawl
> large numbers of profiles, but it does not incorporate any real security,
> and any attempt to suggest that it does is misleading and deceptive.
>
> ** **
>
> Webfinger, like any good HTTP service, is designed to allow access control
> using appropriate means. That access control should not be *bound* to the
> protocol, in the same way that HTTP does not have any REQUIRED access
> control mechanisms, since doing so would severely restrict future usage of
> a core protocol.
>
> ** **
>
> FUD has no place in a discussion of the technical and social merits of a
> protocol.
>
> ** **
>
> For what it's worth, my intent with webfinger *from day one, nearly four
> years ago*, has been to provide permissioned profile data *using EXISTING*
> (or new, where appropriate or necessary, based on *running code and
> deployment

Re: [OAUTH-WG] Web Finger vs. Simple Web Discovery (SWD)

2012-04-13 Thread Melvin Carvalho 
On 12 April 2012 13:00, Hannes Tschofenig  wrote:

> Hi all,
>
> those who had attended the last IETF meeting may have noticed the ongoing
> activity in the 'Applications Area Working Group' regarding Web Finger.
> We had our discussion regarding Simple Web Discovery (SWD) as part of the
> re-chartering process.
>
> Here are the two specifications:
> http://tools.ietf.org/html/draft-jones-appsawg-webfinger-03
> http://tools.ietf.org/html/draft-jones-simple-web-discovery-02
>
> Now, the questions that seems to be hanging around are
>
>  1) Aren't these two mechanisms solving pretty much the same problem?
>  2) Do we need to have two standards for the same functionality?
>  3) Do you guys have a position or comments regarding either one of them?
>

No mention of Linked Data?  (eg JSON LD).  Even tho it's used to discover
data by most governments, the world bank, over 2000 retailers, all major
search engines?

Webfinger I love the concept, but seems overly complicated to me.
Introduction of the acct: scheme seems unnecessary.  No where in the spec
does it cover how to get from mailto:user@host -> acct:user@host which, if
im not mistaken, seems to defeat the object of the forward lookup.  From a
practical perspective it seems both xml and json must be supported which is
an added layer of complexity.

Also note that discovery is an additive process... in a certain way, you
could say, the more the better :)


>
> Ciao
> Hannes
>
> PS: Please also let me know if your view is: "I don't really know what all
> this is about and the documents actually don't provide enough requirements
> to make a reasonable judgement about the solution space."
>
>
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)

2011-12-18 Thread Melvin Carvalho 
Quick question.  I was wondering if OAuth 2.0 can work with access
control lists.

For example there is a protected resource (e.g. a photo), and I want
to set it up so that a two or more users (for example a group of
friends) U1, U2 ... Un will be able to access it after authenticating.

Is this kind of flow possibly with OAuth 2.0, and if so whose
responsibility is it to maintain the list of agents than can access
the resource?
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth