Hi Daniel, Hi all,
thank you all for the feedback.
Regarding "less than ideal communication": Fair enough. Listing them as
"proposed work items" has, however, helped me to finally get clarity
about what the preferences are. As one of the BOF chairs I prefer to
hear this feedback now rather than next Tuesday.
This leaves us pretty much with what I wrote in this email:
https://mailarchive.ietf.org/arch/msg/spice/oO3Icn84-_hCAOqi5j60B6Tt0FI/
The question to the authors of the SD-JWT & related documents is: Does a
CBOR/COSE serialization provide value in your use cases?
Ciao
Hannes
Am 02.11.2023 um 08:41 schrieb Daniel Fett:
I second what my co-authors Kristina and Brian said. It is a risk, and
there are a lot of unknowns here.
I have a similar feeling regarding SD-JWT VC, even though that is
farther away from the finish line.
And as an attempt to explain some of the responses: I think the
communication here was less than ideal. Even if the authors of the
drafts may have no more say than anyone else, as you pointed out,
getting them on board with the idea before listing the drafts as
"proposed work items" would have helped.
-Daniel
Am 01.11.23 um 15:54 schrieb Kristina Yasuda:
Moving a somewhat mature draft to another WG is highly likely slow
down the progress on that document: there is no guarantee there will
be an overlap in the WG members, there is a risk that discussions
that were already resolved to be re-opened to be, etc.
I consider SD-JWT closer to a finish line then a start line and would
not like its progress being slowed down by moving it to another WG at
this point of document's lifecycle. I am not in favor of moving
SD-JWT work to SPICE WG.
Best,
Kristina
*From:*OAuth <oauth-boun...@ietf.org> *On Behalf Of *Hannes Tschofenig
*Sent:* Wednesday, November 1, 2023 4:21 AM
*To:* oauth <oauth@ietf.org>; sp...@ietf.org
*Subject:* [OAUTH-WG] Relationship between SPICE and OAuth
Hi all,
I am a bit puzzled by the response Pam and I received when putting
the agenda for the SPICE BOF together. It appears that most people
have not paid attention to the discussions during the last few months.
Let me try to get you up to speed. So, here is my summary.
The OAuth working group has seen a lot of interest in the context of
the SD-JWT/VC work and there have been complaints about the three WG
sessions we scheduled at the last IETF meeting. (FWIW neither Rifaat
nor I understood why we received these complaints given that people
asked us for more slots. But that's another story...)
The SD-JWT/VC work is architecturally different to the classical
OAuth (which is not a problem) but raises questions about the scope
of the work done in the OAuth working group, as defined by the
charter. The charter of a group is a "contract" with the steering
committee (IESG) about the work we are supposed to be doing. There is
the expectation that the work described in the charter and in the
milestones somehow matches the work the group is doing (at least to
some approximation). See also the mail from Roman to the OAuth list
for the type of questions that surfaced:
https://mailarchive.ietf.org/arch/msg/oauth/a_MEz2SqU7JYEw3gKxKzSrRlQFA/
In time for the Prague IETF meeting a BOF request (with the shiny
name SPICE, see
https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/)
was submitted. It was subsequently approved by the IESG. SPICE aims
to cover the scope of the SD-JWT/VC work (plus work on defining the
CWT-based counterparts) -- my rough summary; details are here:
https://github.com/transmute-industries/ietf-spice-charter/blob/main/charter.md
This BOF request again raised questions about the scope and the
relationship with OAuth, see Roman's note here:
https://mailarchive.ietf.org/arch/msg/spice/Aoe86A0x6bezllwx17Xd5TOQ3Pc/
Now, we are in the final stages of preparing the BOF for the Prague
IETF and in the agenda preparation we repeately get asked the same
question:
"Has the transfer of some of the OAuth documents already been agreed?"
The answer is "no". Nothing has been agreed. The purpose of the BOF
is to find this agreement.
So, if you have an opinion whether some of the OAuth documents (in
particular draft-ietf-oauth-sd-jwt-vc,
draft-ietf-oauth-selective-disclosure-jwt,
draft-ietf-oauth-status-list) should move to a new working group then
you should speak up **now**.
The SPICE BOF (and the WIMSE BOF) will happen on Tuesday next week.
The first OAuth WG session happens shortly afterwards (also on
Tuesday). The outcome of the BOF(s) will guide us in our discussion
about re-chartering the OAuth working group (which is an item on the
OAuth agenda, see
https://datatracker.ietf.org/meeting/118/materials/agenda-118-oauth-03).
Rifaat, Pam and I are mediators in this process and therefore we rely
on your input. Since you have to do the work, you should think about
where you want to do it.
Ciao
Hannes
PS: A process-related note. If you are author of a working group
document you are working for the group. With the transition from an
individual document to a working group document you have relinquished
control to the group. While your opinion is important, it has the
same weight as the opinion of any other working group participant.
The theme is "We reject: kings, presidents, and voting. We believe
in: rough consensus and running code".
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Please use my new email address:m...@danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
