Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Phil Hunt
Specifics? Phil @independentid www.independentid.com phil.h...@oracle.com On 2013-08-22, at 1:52 PM, John Bradley wrote: > True however this is more like a client cert and that didn't take off because > of distribution and maintenance issues. > > On 2013-08-22, at 4:43 PM, Phil Hunt

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread John Bradley
True however this is more like a client cert and that didn't take off because of distribution and maintenance issues. On 2013-08-22, at 4:43 PM, Phil Hunt wrote: > TLS doesn't define how servers obtain certificates. It just assumes they are > installed. The same thing is happening here. > >

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Richer, Justin P.
Phil, I'm not objecting to it! I never have been! I've been saying all along it's a proper extension to the base dynamic registration spec because it defines optional functionality in addition to said base spec. Why do you object to it being an extension? -- Justin On Aug 22, 2013, at 4:43 PM

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Phil Hunt
TLS doesn't define how servers obtain certificates. It just assumes they are installed. The same thing is happening here. I'm not sure why this is objectionable. It is simply a broader model of your proprietary (meaning specific) solution for BB+. Phil @independentid www.independentid.com phi

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Justin Richer
But it also assumes, in many cases, a pre-registration step. I think you might be simplifying for the case of one piece of software with the same parameters talking to the same server many times. In some sense, it doesn't matter to a client developer whether they have to send their display name

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Phil Hunt
Agreed. The problem for dyn reg is most params are optional and passed at reg time. I think this also represents huge complexity to client app developers since each sp may be different. Move bulk of info to statement simplifies the registration and encourages uniformity. Phil On 2013-08-22,

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Phil Hunt
iginal Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Phil Hunt > Sent: Thursday, August 22, 2013 12:23 PM > To: Tschofenig, Hannes (NSN - FI/Espoo) > Cc: oauth mailing list > Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Justin Richer
Phil, thanks for writing this down. I think that part of the confusion in this conversation may come from the nature of items such as the client id, client secret, and even the registration access token. In many instances, these are simply random values that the server generates and stores for

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Justin Richer
013 12:23 PM To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: oauth mailing list Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction! I have attached a PDF including some of my thoughts, concerns, and suggestions for the u

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!

2013-08-22 Thread Anthony Nadalin
that's it? -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Thursday, August 22, 2013 12:23 PM To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: oauth mailing list Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 2

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Tschofenig, Hannes (NSN - FI/Espoo)
: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT Hi Phil, Using dyn-reg-14 vocabulary: the BB+ `registration_jwt` is an "initial access token" that's used to perform a "Protected Registration" (see B.2<http://tools.ietf.org/html/draft-ie

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Justin Richer
The registration_jwt captures many of the same things that the proposed "software statement" does, and it's presented as an initial access token. The Provider then parses this token and uses the BB+ Discovery system to validate the token against the Registry that issued it. This is what we talk

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Josh Mandel
Hi Phil, Using dyn-reg-14 vocabulary: the BB+ `registration_jwt` is an "initial access token" that's used to perform a "Protected Registration" (see B.2of dyn-reg-14). Does this make sense? (Happy to provide more detail if it

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Phil Hunt
Josh, I think BlueButton is an important example of use. Tell us more about registration_jwt (which is not part of dyn reg). Phil @independentid www.independentid.com phil.h...@oracle.com On 2013-08-20, at 8:30 AM, Josh Mandel wrote: > The group may be interested in bits of the followi

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Josh Mandel
The group may be interested in bits of the following classification that we put together for BlueButton+: http://blue-button.github.io/blue-button-plus-pull/#client-types Here, we classified apps according to 1. whether they can protect a `client_secret` and 2. whether they can protect a `regist

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Phil Hunt
By taxonomy i mean the distinct types of clients and associations. Eg - javascript - native app - web app - apps that associate to one endpoint vs those the register with multiple based on events - perm vs temporary associations There are probably more. As Torsten mentions one of the most im

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Tschofenig, Hannes (NSN - FI/Espoo)
Hi Phil, > I think we should start by reviewing use cases taxonomy. What do you mean by "use cases taxonomy"? What exactly would we discuss under that item? > > Then a discussion on any client_id assumptions and actual requirements > for each client case. Why is registration needed for each

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Tschofenig, Hannes (NSN - FI/Espoo)
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of ext Eve Maler > Sent: Tuesday, August 20, 2013 1:33 AM > To: Justin Richer > Cc: oauth mailing list > Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: > Thu 22 Aug, 2pm PDT > > H

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Phil Hunt
t;>>>>> >>>>>>>> I recall more than one in the re-chartering discussion said dyn reg >>>>> needed major changes to solve their use cases. >>>>>>>> >>>>>>>> Phil >>>>>>>>

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-20 Thread Torsten Lodderstedt
;>>>>> Phil >>>>>>> >>>>>>> On 2013-08-19, at 8:18, Justin Richer wrote: >>>>>>> >>>>>>>> Tony, I completely disagree. The proposals that I've seen have >>>> different means and di

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-19 Thread Phil Hunt
;ve seen have >>> different means and different end states, and they make different >>> assumptions about the relationship between entities and the >>> capabilities of all players. >>>>>>> >>>>>>> -- Justin >>>>>>> >

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-19 Thread Phil Hunt
players. >>>>>> >>>>>> -- Justin >>>>>> >>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote: >>>>>>> There are proposals out there that are trying to solve the same >> problem, but in different ways,

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-19 Thread Torsten Lodderstedt
t use cases. I do think that we need to make sure that >whatever proposal we select it needs to have a wide range of use cases >it solves, not just a single use case as the more solutions this group >produces the more confused folks will be >>>>>> >>>>>&g

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-19 Thread Phil Hunt
gt;>> different use cases. I do think that we need to make sure that whatever >>>>> proposal we select it needs to have a wide range of use cases it solves, >>>>> not just a single use case as the more solutions this group produces the >>>>> more confus

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

2013-08-19 Thread Eve Maler
;>> >>>> -----Original Message- >>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >>>> Justin Richer >>>> Sent: Monday, August 19, 2013 7:27 AM >>>> To: Phil Hunt >>>> Cc: oauth mailin