[Openid-specs-ab] Draft note to IETF

Tim Bray tbray at textuality.com
Thu Jun 13 16:16:36 UTC 2013 

I don’t think my IETF connections add the slightest weight.  This is coming
from the OpenID Foundation and really needs to be signed by someone with an
OIDF title. Why not Don?  -T


On Thu, Jun 13, 2013 at 9:10 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:

>  It can’t come from me, because I’m viewed by some as the biased voice
> trying to preserve what I wrote.****
>
> ** **
>
> You have history with the IETF that none of us do, which gives the note
> more weight.  You also haven’t been involved in most of the niggling
> battles over features, so you’re more above the fray.  So I really do think
> you’re the right person.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Tim Bray [mailto:tbray at textuality.com]
> *Sent:* Thursday, June 13, 2013 9:07 AM
> *To:* Mike Jones
>
> *Cc:* <openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] Draft note to IETF****
>
> ** **
>
> I don't really object, but wouldn’t this do better coming from someone
> with an actual OIDF title, like you as chair or Don Thibeau? -T****
>
> ** **
>
> On Thu, Jun 13, 2013 at 8:30 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:****
>
> Tim – a slightly revised note follows.  The working group agreed for you
> to circulate it privately to insiders for feedback.  We also need to run
> this by the board before formally sending it, since it’s speaking on behalf
> of the foundation.  If you can let us know what kinds of informal feedback
> you receive, that would be great.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> To: jose-chairs at tools.ietf.org; oauth-chairs at tools.ietf.org****
>
> Cc: iesg at ietf.org; draft-ietf-oauth-json-web-token at tools.ietf.org;
> draft-ietf-jose-json-web-encryption at tools.ietf.org****
>
> Subject: Liaison statement from OpenID Foundation to IETF on JWT and JOSE*
> ***
>
>  ****
>
> I’m writing on behalf of the OpenID Connect Working Group, in the OpenID
> Foundation.  We have been working for three years on specifying this
> identity-federation protocol. Our specifications have reached stability
> (what we call “Implementer’s Drafts”) and we anticipate a final vote and
> approval in the coming months.  We’re confident approval will be
> forthcoming since OpenID Connect is already in production at Google, a
> product has been announced by Ping Identity, a JWT product has shipped from
> Microsoft, and we expect numerous OpenID Connect and JWT deployments in the
> coming months.****
>
>  ****
>
> Our work is dependent on the JSON Web Token (JWT) and the JSON Object
> Signing and Encryption (JOSE) specifications, products of the IETF OAuth
> and JOSE working groups.  JWTs have been stable for some time, and code to
> parse and validate them is widely available in libraries for popular
> programming languages.  However, progress towards an RFC in JOSE seems
> slow, which is holding up the JWT RFC in OAuth, and we do not have a clear
> feeling when this work is likely to complete.  As chartered, the JOSE
> documents were have gone to working group last call a year ago and this
> still has not happened.****
>
>  ****
>
> Unfortunately, it’s not practical for our membership to wait indefinitely,
> and thus our most likely course of action will be to take dependencies
> on draft-ietf-oauth-json-web-token-08 and the -11 versions of the JOSE
> specifications or subsequent versions that are compatible with them when
> the time comes to publish our final specifications.  It would obviously be
> preferable for the JWT and JOSE RFCs to be completed in a timely fashion
> instead.****
>
>  ****
>
> We bring this to your attention simply because if some other organization
> were planning to lock in a dependency on one of our earlier drafts, we’d
> like to hear about it.****
>
>  ****
>
> -- Tim Bray for the OpenID Connect Working Group and the OpenID Foundation
> ****
>
>  ****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Brian Campbell
> *Sent:* Thursday, June 13, 2013 6:30 AM
> *To:* Tim Bray
> *Cc:* <openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] Draft note to IETF****
>
>  ****
>
> While somewhat esoteric, it's probably important in this context to be
> accurate about the various documents and the WGs that are responsible for
> them.****
>
> Though JWT does depend heavily on JOSE work, it itself isn't a JOSE WG
> item.  Rather it is a product of the OAUTH WG and, as such, asking the
> JOSE WG to do anything with JWT doesn't make a lot of sense.****
>
> The broader issue remains though and I support the Connect  group
> providing some encouragement to the IETF towards progressing the
> dependencies. But we probably need to acknowledge that even within the IETF
> the document and WG relationships are somewhat complicated by dependencies.
> ****
>
>  ****
>
>  ****
>
> On Wed, Jun 12, 2013 at 3:00 PM, Tim Bray <tbray at textuality.com> wrote:***
> *
>
> This should go to the JOSE WG chair, the ADs for that area, and the IESG**
> **
>
>  ****
>
> I’m writing on behalf of the OpenID Connect Working Group, in the OpenID
> Foundation.  We have been working for <insert-time-period> on specifying
> this identity-federation protocol. Our specifications have reached
> stability (what we call “implementor’s draft”) and we anticipate a final
> vote and approval in the coming months.  We’re confident approval will be
> forthcoming since OIDC is already in production at Google,
> <insert-other-deployments> and we expect deployments at
> <insert-other-predictions>.****
>
>  ****
>
> Our work is dependent on JWT, a product of the IETF “jose” working group.
>  JWTs have been stable for some time, and code to parse and validate them
> is widely available in libraries for popular programming languages.
>  However, progress towards an RFC in jose seems slow, and we do not have a
> feeling when this work is likely to stabilize.****
>
>  ****
>
> Unfortunately, it’s not practical for our membership to wait, and thus our
> most likely course of action will be to take a dependency
> on draft-ietf-oauth-json-web-token-08 when the time comes to publish our
> specification.  ****
>
>  ****
>
> We bring this to your attention simply because if some other organization
> were planning to lock in a dependency on one of our earlier drafts, we’d
> like to hear about it.  ****
>
>  ****
>
> [I’m going to unofficially run this by some of my IETF-insider contacts,
> but thought I should sanity-check the content here first]****
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>  ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130613/0120e634/attachment.html>

More information about the Openid-specs-ab mailing list