[Openid-specs-ab] Fwd: Re: Draft note to IETF

Justin Richer jricher at mitre.org
Mon Jun 17 16:06:17 UTC 2013


Forwarding Nat's response out to the wider list, as I believe that was
his intent.


-------- Original Message --------
Subject: 	Re: [Openid-specs-ab] Draft note to IETF
Date: 	Tue, 18 Jun 2013 00:04:36 +0900
From: 	Nat Sakimura <sakimura at gmail.com>
To: 	Justin Richer <jricher at mitre.org>



... and so is NRI; NRI has implemented OpenID Connect for several major
identity providers in Japan.


2013/6/17 Justin Richer <jricher at mitre.org <mailto:jricher at mitre.org>>

    MITRE's implementation has been live on our public server for nearly
    a year now, and a number of other groups have used the MITREid
    Connect open source project in their own deployments.

    -- Justin


    On 06/15/2013 02:53 AM, Torsten Lodderstedt wrote:
>     Deutsche Telekom's implementation is available in production since
>     last Wednesday.
>
>     Regards,
>     Torsten.
>
>     Am 13.06.2013 um 18:32 schrieb Brian Campbell
>     <bcampbell at pingidentity.com <mailto:bcampbell at pingidentity.com>>:
>
>>     Also, FWIW, Ping Identity's initial OpenID Connect product
>>     support went from just "announced" to actually "generally
>>     available" yesterday.
>>
>>     https://www.pingidentity.com/about-us/press-release.cfm?customel_datapageid_1516=70050
>>
>>
>>     On Thu, Jun 13, 2013 at 10:26 AM, Nat Sakimura
>>     <sakimura at gmail.com <mailto:sakimura at gmail.com>> wrote:
>>
>>         Not Amazon yet. They are waiting for us. Paypal, yes.
>>
>>         =nat via iPhone
>>
>>         Jun 14, 2013 1:19、Mike Jones <Michael.Jones at microsoft.com
>>         <mailto:Michael.Jones at microsoft.com>> のメッセージ:
>>
>>>         Yes. Updated below…
>>>
>>>         To: jose-chairs at tools.ietf.org
>>>         <mailto:jose-chairs at tools.ietf.org>;
>>>         oauth-chairs at tools.ietf.org <mailto:oauth-chairs at tools.ietf.org>
>>>
>>>         Cc: iesg at ietf.org <mailto:iesg at ietf.org>;
>>>         draft-ietf-oauth-json-web-token at tools.ietf.org
>>>         <mailto:draft-ietf-oauth-json-web-token at tools.ietf.org>;
>>>         draft-ietf-jose-json-web-encryption at tools.ietf.org
>>>         <mailto:draft-ietf-jose-json-web-encryption at tools.ietf.org>
>>>
>>>         Subject: Liaison statement from OpenID Foundation to IETF on
>>>         JWT and JOSE
>>>
>>>         I’m writing on behalf of the OpenID Connect Working Group,
>>>         in the OpenID Foundation. We have been working for three
>>>         years on specifying this identity-federation protocol. Our
>>>         specifications have reached stability (what we call
>>>         “Implementer’s Drafts”) and we anticipate a final vote and
>>>         approval in the coming months. We’re confident approval will
>>>         be forthcoming since OpenID Connect is already in production
>>>         at Google and Amazon, a product has been announced by Ping
>>>         Identity, a JWT product has shipped from Microsoft, and we
>>>         expect numerous OpenID Connect and JWT deployments in the
>>>         coming months.
>>>
>>>         Our work is dependent on the JSON Web Token (JWT) and the
>>>         JSON Object Signing and Encryption (JOSE) specifications,
>>>         products of the IETF OAuth and JOSE working groups. JWTs
>>>         have been stable for some time, and code to parse and
>>>         validate them is widely available in libraries for popular
>>>         programming languages. However, progress towards an RFC in
>>>         JOSE seems slow, which is holding up the JWT RFC in OAuth,
>>>         and we do not have a clear feeling when this work is likely
>>>         to complete. As chartered, the JOSE documents were to have
>>>         gone to working group last call a year ago and this still
>>>         has not happened.
>>>
>>>         Unfortunately, it’s not practical for our membership to wait
>>>         indefinitely, and thus our most likely course of action will
>>>         be to take dependencies on
>>>         draft-ietf-oauth-json-web-token-08 and the -11 versions of
>>>         the JOSE specifications or subsequent versions that are
>>>         compatible with them when the time comes to publish our
>>>         final specifications. It would obviously be preferable for
>>>         the JWT and JOSE RFCs to be completed in a timely fashion
>>>         instead.
>>>
>>>         We bring this to your attention simply because if some other
>>>         organization were planning to lock in a dependency on one of
>>>         our earlier drafts, we’d like to hear about it.
>>>
>>>         -- Tim Bray for the OpenID Connect Working Group and the
>>>         OpenID Foundation
>>>
>>>         *From:*Brian Campbell [mailto:bcampbell at pingidentity.com]
>>>         *Sent:* Thursday, June 13, 2013 9:13 AM
>>>         *To:* Mike Jones
>>>         *Cc:* Tim Bray; <openid-specs-ab at lists.openid.net
>>>         <mailto:openid-specs-ab at lists.openid.net>>
>>>         *Subject:* Re: [Openid-specs-ab] Draft note to IETF
>>>
>>>         "were have gone" -> "were to have gone" ... ?
>>>
>>>         On Thu, Jun 13, 2013 at 9:30 AM, Mike Jones
>>>         <Michael.Jones at microsoft.com
>>>         <mailto:Michael.Jones at microsoft.com>> wrote:
>>>
>>>         Tim -- a slightly revised note follows. The working group
>>>         agreed for you to circulate it privately to insiders for
>>>         feedback. We also need to run this by the board before
>>>         formally sending it, since it’s speaking on behalf of the
>>>         foundation. If you can let us know what kinds of informal
>>>         feedback you receive, that would be great.
>>>
>>>         -- Mike
>>>
>>>         To: jose-chairs at tools.ietf.org
>>>         <mailto:jose-chairs at tools.ietf.org>;
>>>         oauth-chairs at tools.ietf.org <mailto:oauth-chairs at tools.ietf.org>
>>>
>>>         Cc: iesg at ietf.org <mailto:iesg at ietf.org>;
>>>         draft-ietf-oauth-json-web-token at tools.ietf.org
>>>         <mailto:draft-ietf-oauth-json-web-token at tools.ietf.org>;
>>>         draft-ietf-jose-json-web-encryption at tools.ietf.org
>>>         <mailto:draft-ietf-jose-json-web-encryption at tools.ietf.org>
>>>
>>>         Subject: Liaison statement from OpenID Foundation to IETF on
>>>         JWT and JOSE
>>>
>>>         I’m writing on behalf of the OpenID Connect Working Group,
>>>         in the OpenID Foundation. We have been working for three
>>>         years on specifying this identity-federation protocol. Our
>>>         specifications have reached stability (what we call
>>>         “Implementer’s Drafts”) and we anticipate a final vote and
>>>         approval in the coming months. We’re confident approval will
>>>         be forthcoming since OpenID Connect is already in production
>>>         at Google, a product has been announced by Ping Identity, a
>>>         JWT product has shipped from Microsoft, and we expect
>>>         numerous OpenID Connect and JWT deployments in the coming
>>>         months.
>>>
>>>         Our work is dependent on the JSON Web Token (JWT) and the
>>>         JSON Object Signing and Encryption (JOSE) specifications,
>>>         products of the IETF OAuth and JOSE working groups. JWTs
>>>         have been stable for some time, and code to parse and
>>>         validate them is widely available in libraries for popular
>>>         programming languages. However, progress towards an RFC in
>>>         JOSE seems slow, which is holding up the JWT RFC in OAuth,
>>>         and we do not have a clear feeling when this work is likely
>>>         to complete. As chartered, the JOSE documents were have gone
>>>         to working group last call a year ago and this still has not
>>>         happened.
>>>
>>>         Unfortunately, it’s not practical for our membership to wait
>>>         indefinitely, and thus our most likely course of action will
>>>         be to take dependencies on
>>>         draft-ietf-oauth-json-web-token-08 and the -11 versions of
>>>         the JOSE specifications or subsequent versions that are
>>>         compatible with them when the time comes to publish our
>>>         final specifications. It would obviously be preferable for
>>>         the JWT and JOSE RFCs to be completed in a timely fashion
>>>         instead.
>>>
>>>         We bring this to your attention simply because if some other
>>>         organization were planning to lock in a dependency on one of
>>>         our earlier drafts, we’d like to hear about it.
>>>
>>>         -- Tim Bray for the OpenID Connect Working Group and the
>>>         OpenID Foundation
>>>
>>>         *From:*openid-specs-ab-bounces at lists.openid.net
>>>         <mailto:openid-specs-ab-bounces at lists.openid.net>
>>>         [mailto:openid-specs-ab-bounces at lists.openid.net
>>>         <mailto:openid-specs-ab-bounces at lists.openid.net>] *On
>>>         Behalf Of *Brian Campbell
>>>         *Sent:* Thursday, June 13, 2013 6:30 AM
>>>         *To:* Tim Bray
>>>         *Cc:* <openid-specs-ab at lists.openid.net
>>>         <mailto:openid-specs-ab at lists.openid.net>>
>>>         *Subject:* Re: [Openid-specs-ab] Draft note to IETF
>>>
>>>         While somewhat esoteric, it's probably important in this
>>>         context to be accurate about the various documents and the
>>>         WGs that are responsible for them.
>>>
>>>         Though JWT does depend heavily on JOSE work, it itself isn't
>>>         a JOSE WG item. Rather it is a product of the OAUTH WGand,
>>>         as such, asking the JOSE WG to do anything with JWT doesn't
>>>         make a lot of sense.
>>>
>>>         The broader issue remains though and I support the Connect
>>>         group providing some encouragement to the IETF towards
>>>         progressing the dependencies. But we probably need to
>>>         acknowledge that even within the IETF the document and WG
>>>         relationships are somewhat complicated by dependencies.
>>>
>>>         On Wed, Jun 12, 2013 at 3:00 PM, Tim Bray
>>>         <tbray at textuality.com <mailto:tbray at textuality.com>> wrote:
>>>
>>>         This should go to the JOSE WG chair, the ADs for that area,
>>>         and the IESG
>>>
>>>         I’m writing on behalf of the OpenID Connect Working Group,
>>>         in the OpenID Foundation. We have been working for
>>>         <insert-time-period> on specifying this identity-federation
>>>         protocol. Our specifications have reached stability (what we
>>>         call “implementor’s draft”) and we anticipate a final vote
>>>         and approval in the coming months. We’re confident approval
>>>         will be forthcoming since OIDC is already in production at
>>>         Google, <insert-other-deployments> and we expect deployments
>>>         at <insert-other-predictions>.
>>>
>>>         Our work is dependent on JWT, a product of the IETF “jose”
>>>         working group. JWTs have been stable for some time, and code
>>>         to parse and validate them is widely available in libraries
>>>         for popular programming languages. However, progress towards
>>>         an RFC in jose seems slow, and we do not have a feeling when
>>>         this work is likely to stabilize.
>>>
>>>         Unfortunately, it’s not practical for our membership to
>>>         wait, and thus our most likely course of action will be to
>>>         take a dependency on draft-ietf-oauth-json-web-token-08 when
>>>         the time comes to publish our specification.
>>>
>>>         We bring this to your attention simply because if some other
>>>         organization were planning to lock in a dependency on one of
>>>         our earlier drafts, we’d like to hear about it.
>>>
>>>         [I’m going to unofficially run this by some of my
>>>         IETF-insider contacts, but thought I should sanity-check the
>>>         content here first]
>>>
>>>
>>>         _______________________________________________
>>>         Openid-specs-ab mailing list
>>>         Openid-specs-ab at lists.openid.net
>>>         <mailto:Openid-specs-ab at lists.openid.net>
>>>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>>         _______________________________________________
>>>         Openid-specs-ab mailing list
>>>         Openid-specs-ab at lists.openid.net
>>>         <mailto:Openid-specs-ab at lists.openid.net>
>>>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>         _______________________________________________
>>>         Openid-specs-ab mailing list
>>>         Openid-specs-ab at lists.openid.net
>>>         <mailto:Openid-specs-ab at lists.openid.net>
>>>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>     _______________________________________________
>>     Openid-specs-ab mailing list
>>     Openid-specs-ab at lists.openid.net
>>     <mailto:Openid-specs-ab at lists.openid.net>
>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab


    _______________________________________________
    Openid-specs-ab mailing list
    Openid-specs-ab at lists.openid.net
    <mailto:Openid-specs-ab at lists.openid.net>
    http://lists.openid.net/mailman/listinfo/openid-specs-ab




-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130617/a48d3b16/attachment-0001.html>


More information about the Openid-specs-ab mailing list