[Openid-specs-ab] Draft note to IETF

Nat Sakimura sakimura at gmail.com
Thu Jun 13 16:26:56 UTC 2013


Not Amazon yet. They are waiting for us. Paypal, yes.

=nat via iPhone

Jun 14, 2013 1:19¡¢Mike Jones <Michael.Jones at microsoft.com> ¤Î¥á¥Ã¥»©`¥¸:

  Yes.  Updated below¡­



To: jose-chairs at tools.ietf.org; oauth-chairs at tools.ietf.org

Cc: iesg at ietf.org; draft-ietf-oauth-json-web-token at tools.ietf.org;
draft-ietf-jose-json-web-encryption at tools.ietf.org

Subject: Liaison statement from OpenID Foundation to IETF on JWT and JOSE



I¡¯m writing on behalf of the OpenID Connect Working Group, in the OpenID
Foundation.  We have been working for three years on specifying this
identity-federation protocol. Our specifications have reached stability
(what we call ¡°Implementer¡¯s Drafts¡±) and we anticipate a final vote and
approval in the coming months.  We¡¯re confident approval will be
forthcoming since OpenID Connect is already in production at Google and
Amazon, a product has been announced by Ping Identity, a JWT product has
shipped from Microsoft, and we expect numerous OpenID Connect and JWT
deployments in the coming months.



Our work is dependent on the JSON Web Token (JWT) and the JSON Object
Signing and Encryption (JOSE) specifications, products of the IETF OAuth
and JOSE working groups.  JWTs have been stable for some time, and code to
parse and validate them is widely available in libraries for popular
programming languages.  However, progress towards an RFC in JOSE seems
slow, which is holding up the JWT RFC in OAuth, and we do not have a clear
feeling when this work is likely to complete.  As chartered, the JOSE
documents were to have gone to working group last call a year ago and this
still has not happened.



Unfortunately, it¡¯s not practical for our membership to wait indefinitely,
and thus our most likely course of action will be to take dependencies
on draft-ietf-oauth-json-web-token-08 and the -11 versions of the JOSE
specifications or subsequent versions that are compatible with them when
the time comes to publish our final specifications.  It would obviously be
preferable for the JWT and JOSE RFCs to be completed in a timely fashion
instead.



We bring this to your attention simply because if some other organization
were planning to lock in a dependency on one of our earlier drafts, we¡¯d
like to hear about it.



-- Tim Bray for the OpenID Connect Working Group and the OpenID Foundation



*From:* Brian Campbell
[mailto:bcampbell at pingidentity.com<bcampbell at pingidentity.com>]

*Sent:* Thursday, June 13, 2013 9:13 AM
*To:* Mike Jones
*Cc:* Tim Bray; <openid-specs-ab at lists.openid.net>
*Subject:* Re: [Openid-specs-ab] Draft note to IETF



"were have gone" -> "were to have gone" ... ?



On Thu, Jun 13, 2013 at 9:30 AM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

Tim ¨C a slightly revised note follows.  The working group agreed for you to
circulate it privately to insiders for feedback.  We also need to run this
by the board before formally sending it, since it¡¯s speaking on behalf of
the foundation.  If you can let us know what kinds of informal feedback you
receive, that would be great.



                                                            -- Mike



To: jose-chairs at tools.ietf.org; oauth-chairs at tools.ietf.org

Cc: iesg at ietf.org; draft-ietf-oauth-json-web-token at tools.ietf.org;
draft-ietf-jose-json-web-encryption at tools.ietf.org

Subject: Liaison statement from OpenID Foundation to IETF on JWT and JOSE



I¡¯m writing on behalf of the OpenID Connect Working Group, in the OpenID
Foundation.  We have been working for three years on specifying this
identity-federation protocol. Our specifications have reached stability
(what we call ¡°Implementer¡¯s Drafts¡±) and we anticipate a final vote and
approval in the coming months.  We¡¯re confident approval will be
forthcoming since OpenID Connect is already in production at Google, a
product has been announced by Ping Identity, a JWT product has shipped from
Microsoft, and we expect numerous OpenID Connect and JWT deployments in the
coming months.



Our work is dependent on the JSON Web Token (JWT) and the JSON Object
Signing and Encryption (JOSE) specifications, products of the IETF OAuth
and JOSE working groups.  JWTs have been stable for some time, and code to
parse and validate them is widely available in libraries for popular
programming languages.  However, progress towards an RFC in JOSE seems
slow, which is holding up the JWT RFC in OAuth, and we do not have a clear
feeling when this work is likely to complete.  As chartered, the JOSE
documents were have gone to working group last call a year ago and this
still has not happened.



Unfortunately, it¡¯s not practical for our membership to wait indefinitely,
and thus our most likely course of action will be to take dependencies
on draft-ietf-oauth-json-web-token-08 and the -11 versions of the JOSE
specifications or subsequent versions that are compatible with them when
the time comes to publish our final specifications.  It would obviously be
preferable for the JWT and JOSE RFCs to be completed in a timely fashion
instead.



We bring this to your attention simply because if some other organization
were planning to lock in a dependency on one of our earlier drafts, we¡¯d
like to hear about it.



-- Tim Bray for the OpenID Connect Working Group and the OpenID Foundation



*From:* openid-specs-ab-bounces at lists.openid.net [mailto:
openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Brian Campbell
*Sent:* Thursday, June 13, 2013 6:30 AM
*To:* Tim Bray
*Cc:* <openid-specs-ab at lists.openid.net>
*Subject:* Re: [Openid-specs-ab] Draft note to IETF



While somewhat esoteric, it's probably important in this context to be
accurate about the various documents and the WGs that are responsible for
them.

Though JWT does depend heavily on JOSE work, it itself isn't a JOSE WG
item.  Rather it is a product of the OAUTH WG and, as such, asking the JOSE
WG to do anything with JWT doesn't make a lot of sense.

The broader issue remains though and I support the Connect  group providing
some encouragement to the IETF towards progressing the dependencies. But we
probably need to acknowledge that even within the IETF the document and WG
relationships are somewhat complicated by dependencies.





On Wed, Jun 12, 2013 at 3:00 PM, Tim Bray <tbray at textuality.com> wrote:

This should go to the JOSE WG chair, the ADs for that area, and the IESG



I¡¯m writing on behalf of the OpenID Connect Working Group, in the OpenID
Foundation.  We have been working for <insert-time-period> on specifying
this identity-federation protocol. Our specifications have reached
stability (what we call ¡°implementor¡¯s draft¡±) and we anticipate a final
vote and approval in the coming months.  We¡¯re confident approval will be
forthcoming since OIDC is already in production at Google,
<insert-other-deployments> and we expect deployments at
<insert-other-predictions>.



Our work is dependent on JWT, a product of the IETF ¡°jose¡± working group.
 JWTs have been stable for some time, and code to parse and validate them
is widely available in libraries for popular programming languages.
 However, progress towards an RFC in jose seems slow, and we do not have a
feeling when this work is likely to stabilize.



Unfortunately, it¡¯s not practical for our membership to wait, and thus our
most likely course of action will be to take a dependency
on draft-ietf-oauth-json-web-token-08 when the time comes to publish our
specification.



We bring this to your attention simply because if some other organization
were planning to lock in a dependency on one of our earlier drafts, we¡¯d
like to hear about it.



[I¡¯m going to unofficially run this by some of my IETF-insider contacts,
but thought I should sanity-check the content here first]


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab




_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130614/e1f95bdb/attachment-0001.html>


More information about the Openid-specs-ab mailing list