<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

span.m4397229464822769143m-2561960222176891354m3618809551850153041apple-converted-space

        {mso-style-name:m_4397229464822769143m-2561960222176891354m3618809551850153041apple-converted-space;}

span.EmailStyle20

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal">I won’t be there Friday. We could chat about it tomorrow if you are at the MS event.<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal" style="margin-left:.5in">On 4/18/18, 2:31 PM, someone claiming to be "Marius Scurtescu" <<a href="mailto:mscurtescu@google.com">mscurtescu@google.com</a>> wrote:<o:p></o:p></p>

</div>

</div>

<div>

<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal" style="margin-left:.5in"><a name="_MailOriginalBody">Let's add this as an agenda item for the face-to-face on Friday.<o:p></o:p></a></p>

</div>

<div>

<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"><br clear="all">

<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">Marius<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>

<div>

<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">On Wed, Apr 18, 2018 at 10:41 AM, Skyberg, David <</span><a href="mailto:David.Skyberg@capitalone.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">David.Skyberg@capitalone.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">To what degree does at least the start of a trust framework need to be assumed before normative statements about OAuth 2 can be spec’d?  Ie,

<o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">Cheers,<o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">=D=<o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:12.0pt;color:black">From:

</span></b></span><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">Openid-specs-risc <</span></span><a href="mailto:openid-specs-risc-bounces@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">openid-specs-risc-bounces@lists.openid.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">>

 on behalf of "Hardt, Dick via Openid-specs-risc" <</span></span><a href="mailto:openid-specs-risc@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">openid-specs-risc@lists.openid.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Reply-To: </b>"Hardt, Dick" <</span></span><a href="mailto:dick@amazon.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">dick@amazon.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Date: </b>Tuesday, April 17, 2018 at 10:43 PM<br>

<b>To: </b>Marius Scurtescu <</span></span><a href="mailto:mscurtescu@google.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">mscurtescu@google.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Cc: </b>Dick Hardt via Openid-specs-risc <</span></span><a href="mailto:openid-specs-risc@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt">openid-specs-risc@lists.openid.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:12.0pt;color:black">><br>

<b>Subject: </b>Re: [Openid-specs-risc] Dependence on RFC6750 conflicts with other OIDF groups</span><o:p></o:p></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"><a name="m_4397229464822769143__MailOriginalBody">RFC 6749 says how to obtain a token. 6750 is how to present it, which is what is required to make the API call. Specifying 6750 lets implement its know how calls

 will be made, and that they are like most OAuth based calls, rather than using mutual TLS or basic auth.

</a><o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">I believe we are talking RISC on this list.<o:p></o:p></span></p>

<div id="m_4397229464822769143AppleMailSignature">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">-- Dick<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"><br>

On Apr 17, 2018, at 10:05 PM, Marius Scurtescu <</span><a href="mailto:mscurtescu@google.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">mscurtescu@google.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">Well, that was my point when I initially made OAuth 2 a requirement for the RISC Profile. Based on Phil's comments, you suggested to loosen that up and only require a bearer token, with that we already lost interop,

 I don't see a problem with loosening further. <o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">We have to decide what is the charter of RISC and if RISC cannot be specific about OAuth 2 then we need some other profile that anchors everything in OAuth 2 (or maybe in OIDC). All implementations I am aware of

 are anchored in OAuth 2 (access tokens, client ids, etc).<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">I agree with Phil that in general secevent should allow other authorization methods, but not sure if RISC should also allow that, and where would things become concrete.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"><br clear="all">

<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">Marius<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">On Tue, Apr 17, 2018 at 8:34 PM, Hardt, Dick <</span><a href="mailto:dick@amazon.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">dick@amazon.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody">Marius: what is the point if it is non-normative?  There is little value in referencing OAuth unless you are going to specify something that promotes interop.<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">On 4/17/18, 3:51 PM, someone claiming to be "Marius Scurtescu" <</span><a href="mailto:mscurtescu@google.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">mscurtescu@google.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">Phil, <o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">I think suggesting in a non-normative way the use of OAuth Bearer tokens, or even OAuth 2 access tokens makes sense.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">Dependence on RFC7519 on the other hand does not work. Most OAuth 2 implementations are not using JWT as token format. Maybe I misunderstand.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">Are you OK with changing the OAuth Bearer token reference to a non-normative one?<o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"><br clear="all">

<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">Marius<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">On Fri, Apr 6, 2018 at 11:16 AM, Hardt, Dick via Openid-specs-risc <</span><a href="mailto:openid-specs-risc@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody">openid-specs-risc@lists.openid.net</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody">FAPI and iGov are standards, not an organization. Is there a reason why an organization that is using FAPI or iGov cannot use bearer tokens?<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">On 4/6/18, 9:59 AM, someone claiming to be "Phil Hunt" <</span><a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">phil.hunt@oracle.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">I cited FAPI and iGov as examples of cases that cannot use bearer tokens as defined by RFC6750.

<o:p></o:p></span></p>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">I agree that one advantage of 6750 is it does not mandate JWT.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">This is why I stated mandated JWT would be a compromise.  We discussed in the past that the compromise was that JWT’s could be manually generated in the absence of OAuth token servers.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"><span style="color:black">Phil</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"><span style="color:black"> </span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"><span style="color:black">Oracle Corporation, Identity Cloud Services Architect</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"><span style="color:black">@independentid</span><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"></span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMF-g&c=pLULRYW__RtkwsQUPxJVDGboCTdgji3AcHNJU0BpTJE&r=dpcjJJ2Kw0U8wmc6cf3KuxlNsnLbNMMD1_Km0w8FXpaxakm_XM-PyeZX-dTBRjdF&m=-5XUsGZRHvOkiQ57kCniMx69H5kleL0UNRmHaefxVFU&s=mP1-5yl6fRDNq99AkR7HkbzjYenemfV5w9sRiUoH6wA&e=" target="_blank"><span style="mso-bookmark:_MailOriginalBody">www.independentid.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"></span><a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">phil.hunt@oracle.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">On Apr 6, 2018, at 9:51 AM, Hardt, Dick <</span><a href="mailto:dick@amazon.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">dick@amazon.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">An OAuth Bearer token != a JWT. Dictating JWT would force deployments that have their own proprietary tokens to adopt JWT, for zero benefit as the the token issuer and token receiver are the same entity, so there

 is no requirement for interop.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">While there are numerous ways to authenticate, picking one widely deployed mechanism simplifies adoption.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">It is unclear why a bearer token for RISC would be in conflict with someone that has used FAPI or iGov. Just because they use a POP for authentication of the user, does not mean they can’t use a bearer token for

 the RISC control plane.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">Do you have an example of someone that wants to deploy RISC where 6750 would be problematic?<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">/Dick<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

<div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">On 4/6/18, 9:22 AM, someone claiming to be "Openid-specs-risc on behalf of Phil Hunt via Openid-specs-risc" <</span><a href="mailto:openid-specs-risc-bounces@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:purple">openid-specs-risc-bounces@lists.openid.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><span class="m4397229464822769143m-2561960222176891354m3618809551850153041apple-converted-space"> </span>on

 behalf of<span class="m4397229464822769143m-2561960222176891354m3618809551850153041apple-converted-space"> </span></span><a href="mailto:openid-specs-risc@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:purple">openid-specs-risc@lists.openid.net</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>

 wrote:<o:p></o:p></span></p>

</div>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"><a name="m_4397229464822769143_m_-256196022217689">The dependence on RFC6750 (OAuth bearer tokens) is a concern because it limits security agility.</a><o:p></o:p></span></p>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">I have stated, my preference is for any HTTP security mechanism to be permissible because implicit federation entities are not always using OAuth based infrastructure - yet many do have sophisticated IDM and security

 systems. <o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">That concern aside, there are other OIDF working groups (FAPI and iGov) that are mandating the use of bound or proof-of-possesion tokens. These groups would be unable to use RISC’s proposed bearer token security

 model as they only accept token binding and mutual tls bound tokens.<o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">As a compromise, I suggest the dependence be made on RFC7519 (JWT tokens) instead of RFC6750.  It would be reasonable to suggest, in a non-normative way the use of OAuth Bearer tokens as an example solution for RISC.<o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">Phil<o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">Oracle Corporation, Identity Cloud Services Architect<o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody">@independentid<o:p></o:p></span></p>

</div>

</div>

<div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"></span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=tMyrA88xBOR5PoGwZna-QzVmvSJosoix0WzQ3HLSEEc&s=eTcI2trRAeFmRS_r61nkuVD4J8aSzzOaiUYETFMHft8&e=" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:purple">www.independentid.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

<div style="margin-left:.5in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"></span><a href="mailto:phil.hunt@oracle.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody"><span style="color:purple">phil.hunt@oracle.com</span></span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"><br>

_______________________________________________<br>

Openid-specs-risc mailing list<br>

</span><a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody">Openid-specs-risc@lists.openid.net</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><br>

</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwMF-g&c=pLULRYW__RtkwsQUPxJVDGboCTdgji3AcHNJU0BpTJE&r=dpcjJJ2Kw0U8wmc6cf3KuxlNsnLbNMMD1_Km0w8FXpaxakm_XM-PyeZX-dTBRjdF&m=-5XUsGZRHvOkiQ57kCniMx69H5kleL0UNRmHaefxVFU&s=G0YS0RLGPfAikM2WdzaC9Uh4usQTsvzMC3_mCTvlKg0&e=" target="_blank"><span style="mso-bookmark:_MailOriginalBody">http://lists.openid.net/mailman/listinfo/openid-specs-risc</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>

</blockquote>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">

<span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>

<div class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">

<hr size="0" width="100%" noshade="" style="color:#222222" align="left">

</span></div>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">

<span style="mso-bookmark:_MailOriginalBody"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#404040">The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely

 in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that

 any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material

 from your computer.</span><o:p></o:p></span></p>

</div>

</blockquote>

</div>

<span style="mso-bookmark:_MailOriginalBody"></span>

<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>

</div>

</div>

</body>

</html>