Grant Negotiation and Authorization Protocol
charter-ietf-gnap-01
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2020-07-10
|
01 | Cindy Morgan | New version available: charter-ietf-gnap-01.txt |
2020-07-10
|
00-09 | Cindy Morgan | State changed to Approved from External Review (Message to Community, Selected by Secretariat) |
2020-07-10
|
00-09 | Cindy Morgan | IESG has approved the charter |
2020-07-10
|
00-09 | Cindy Morgan | Closed "Approve" ballot |
2020-07-10
|
00-09 | Cindy Morgan | WG action text was changed |
2020-07-09
|
00-09 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2020-07-09
|
00-09 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2020-07-09
|
00-09 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund |
2020-07-09
|
00-09 | Roman Danyliw | New version available: charter-ietf-gnap-00-09.txt |
2020-07-09
|
00-08 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2020-07-08
|
00-08 | Benjamin Kaduk | [Ballot comment] There's a spurious line break in the list of extension points (unless the last item is just a stale editing artifact?) CoAP is … [Ballot comment] There's a spurious line break in the list of extension points (unless the last item is just a stale editing artifact?) CoAP is usually spelled with a minuscule 'o' and majuscule 'C', 'A', and 'P'. |
2020-07-08
|
00-08 | Benjamin Kaduk | [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk |
2020-07-08
|
00-08 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2020-07-08
|
00-08 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2020-07-08
|
00-08 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2020-07-08
|
00-08 | Martin Vigoureux | [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux |
2020-07-08
|
00-08 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2020-07-08
|
00-08 | Roman Danyliw | New version available: charter-ietf-gnap-00-08.txt |
2020-07-07
|
00-07 | Roman Danyliw | New version available: charter-ietf-gnap-00-07.txt |
2020-07-06
|
00-06 | Martin Duke | [Ballot comment] Please expand ‘AS’ on first use. |
2020-07-06
|
00-06 | Martin Duke | [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke |
2020-07-06
|
00-06 | Roman Danyliw | New version available: charter-ietf-gnap-00-06.txt |
2020-07-06
|
00-05 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2020-07-06
|
00-05 | Roman Danyliw | Changed charter milestone "Guidelines on migration paths, implementation, and operations to WGLC", set description to "Guidelines on migration paths, implementation, and operations to Working Group … Changed charter milestone "Guidelines on migration paths, implementation, and operations to WGLC", set description to "Guidelines on migration paths, implementation, and operations to Working Group Last Call" |
2020-07-06
|
00-05 | Roman Danyliw | Changed charter milestone "Guidelines for use of protocol extension points to WGLC", set description to "Guidelines for use of protocol extension points to Working Group … Changed charter milestone "Guidelines for use of protocol extension points to WGLC", set description to "Guidelines for use of protocol extension points to Working Group Last Call" |
2020-07-06
|
00-05 | Roman Danyliw | Changed charter milestone "Key presentation mechanism binding to the core protocol, embedded HTTP signature, to WGLC", set description to "Key presentation mechanism binding for each … Changed charter milestone "Key presentation mechanism binding to the core protocol, embedded HTTP signature, to WGLC", set description to "Key presentation mechanism binding for each communication channel to Working Group Last Call" |
2020-07-06
|
00-05 | Roman Danyliw | Deleted charter milestone "Key presentation mechanism binding to the core protocol, detached HTTP signatures, to WGLC" |
2020-07-06
|
00-05 | Roman Danyliw | Deleted charter milestone "Key presentation mechanism binding to the core protocol, TLS, to WGLC" |
2020-07-06
|
00-05 | Roman Danyliw | Changed charter milestone "Core delegation protocol in WGLC", set description to "Core delegation protocol to Working Group Last Call" |
2020-07-06
|
00-05 | Roman Danyliw | New version available: charter-ietf-gnap-00-05.txt |
2020-07-04
|
00-04 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2020-07-01
|
00-04 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
2020-06-26
|
00-04 | Cindy Morgan | Telechat date has been changed to 2020-07-09 from 2020-06-25 |
2020-06-26
|
00-04 | Cindy Morgan | Created "Approve" ballot |
2020-06-26
|
00-04 | Cindy Morgan | Closed "Ready for external review" ballot |
2020-06-26
|
00-04 | Cindy Morgan | State changed to External Review (Message to Community, Selected by Secretariat) from Start Chartering/Rechartering (Internal Steering Group/IAB Review) |
2020-06-26
|
00-04 | Cindy Morgan | WG new work message text was changed |
2020-06-26
|
00-04 | Cindy Morgan | WG review text was changed |
2020-06-26
|
00-04 | Cindy Morgan | WG review text was changed |
2020-06-26
|
00-04 | Cindy Morgan | WG review text was changed |
2020-06-25
|
00-04 | Roman Danyliw | New version available: charter-ietf-gnap-00-04.txt |
2020-06-25
|
00-03 | Roman Danyliw | New version available: charter-ietf-gnap-00-03.txt |
2020-06-25
|
00-02 | Roman Danyliw | New version available: charter-ietf-gnap-00-02.txt |
2020-06-25
|
00-01 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund |
2020-06-25
|
00-01 | Robert Wilton | [Ballot comment] Should it be HTTP/2 and HTTP/3 instead of HTTP2 and HTTP3? |
2020-06-25
|
00-01 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2020-06-24
|
00-01 | Benjamin Kaduk | [Ballot comment] This group is chartered to develop a fine-grained delegation protocol for authorization and API access, as well as requesting and providing … [Ballot comment] This group is chartered to develop a fine-grained delegation protocol for authorization and API access, as well as requesting and providing user identifiers and claims. nit: this appears to parse as "providing user claims", and I'm not sure what that means. The protocol will decouple the interaction channels, such as the end user’s browser [...] "interaction channels" might be a term of art that needs clarification? The client and Authorization Server (AS) will involve a user to make an authorization decision as necessary through interaction mechanisms indicated by the protocol. From a privacy perspective, will all of the information to be made available from the AS to the RS be visible to the user as they make this authorization decision? The group will define interoperability for this protocol between different parties, including - client and authorization server; - client and resource server; and - authorization server and resource server. [obligatory note that just because we define an AS/RS channel doesn't mean it will be required to use one at runtime, given the potential for self-contained tokens?] Additionally, the delegation process will allow for: [...] Do all of these need to be fully fleshed out in the main protocol spec, or could some of them be defered to future extensions? Some of them feel much more "core" than others, to me. - Support for directed, audience-restricted access tokens I think we need to clarify what "directed" is intended to mean here (if it's not just a synonym for "audience-restricted" in which case it should just be removed). - A variety of client applications, including Web, mobile, single-page, and interaction-constrained applications side note: this one feels like it would be easier to phrase as "the WG will seek to minimize assumptions about the form of client applications, allowing for [...]" - Mechanisms for conveying user, software, organization, and other pieces of information used in authorization decisions nit: the "pieces of information" is in a weird place. What are "user pieces of information"? (Also, this is a somewhat interesting place to put an extension point, though I concede that there will eventually be need for some kind of extension here .. it just seems like we should try to make use of this extension point a rare event.) - Optimized inclusion of additional information through the delegation process (including identifiers and identity assertions) This seems pretty open-ended and prone to risky things. E.g., even just a setup with multiple identifiers quickly becomes complicated in terms of being able to make precise statements about what specifically is being proven, whether there is a guaranteed relationship between the two (or more) identities in question, etc.; and this point seems even more open-ended than just that. Additionally, the group will provide mechanisms for management of the protocol lifecycle including: [...] - Mechanisms for the AS and RS to communicate the access granted by an access token Maybe I'm just confused, but isn't "the access granted by an access token" exactly the set of authorizations conveyed by that token, i.e., the core point of the protocol? I'm not sure what kind "protocol lifecycle management" this item is intending to indicate. This group is not chartered to develop extensions to OAuth 2.0, and as such will focus on new technological solutions not necessarily compatible with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be developed in the OAuth Working Group, including functionality back-ported from the protocol developed here to OAuth 2.0. Perhaps s/developed in/directed to/ -- we don't need this WG's charter to make statements that are more appropriate in the OAuth WG's charter. The group is chartered to develop mechanisms for conveying identity information within the protocol including identifiers (such as email addresses, phone numbers, usernames, and subject identifiers) and assertions (such as OpenID Connect ID Tokens, SAML Assertions, and Verifiable Credentials). The group is not chartered to develop new formats for identifiers or assertions, nor is the group chartered to develop schemas for user information, profiles, or other identity attributes, unless a viable existing format is not available. This last bit is a decently sized loophole. If we leave it out that would force a recharter for picking up a new format, which might not be so bad. The working group will cooperate and coordinate with other IETF WGs such as OAUTH, and work with organizations in the community, such as the OpenID, as appropriate. nit: "organizations in the community" is an unusual phrase; I think "external organizations" is probably more common. |
2020-06-24
|
00-01 | Benjamin Kaduk | [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk |
2020-06-24
|
00-01 | Erik Kline | [Ballot comment] * Define "resource server" in the intro paragraphs before it's first encountered in a bulleted list? |
2020-06-24
|
00-01 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2020-06-24
|
00-01 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Guidelines on migration paths, implementation, and operations to WGLC", due February 2022 |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Guidelines for use of protocol extension points to WGLC", due December 2021 |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Key presentation mechanism binding to the core protocol, embedded HTTP signature, to WGLC", due October 2021 |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Key presentation mechanism binding to the core protocol, detached HTTP signatures, to WGLC", due October 2021 |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Key presentation mechanism binding to the core protocol, TLS, to WGLC", due October 2021 |
2020-06-24
|
00-01 | Roman Danyliw | Added charter milestone "Core delegation protocol in WGLC", due July 2021 |
2020-06-24
|
00-01 | Barry Leiba | [Ballot comment] > (in contrast > with OAuth 2.0 which is initiated by the client redirecting the user’s > browser) Editorial nit: This needs a … [Ballot comment] > (in contrast > with OAuth 2.0 which is initiated by the client redirecting the user’s > browser) Editorial nit: This needs a comma after “OAuth 2.0”. > The client and Authorization Server (AS) will involve a user to make > an authorization decision as necessary through interaction mechanisms > indicated by the protocol. This sentence seems very clumsy and unclear. The primary thing that bothers me is “mechanisms indicated by the protocol”: can we rephrase that to make it clearThe primary thing that bothers me is “mechanisms indicated by the protocol”: can we rephrase that to make it clearer what we’re talking about, perhaps by splitting the sentence, explaining what this means first, and then putting the rest of the sentence after it? Maybe something like this: NEW The protocol will include interaction mechanisms that . The client and Authorization Server (AS) will use those mechanisms to involve a user, as necessary, to make authorization decisions. END > - Support for directed, audience-restricted access tokens What does “audience-restricted” mean? Maybe this would be better phrased as, “Support for directed access tokens that restrict ” ? > - Optimized inclusion of additional information through the > delegation process (including identifiers and identity assertions) Editorial nit: the parenthetical is misplaced: NEW - Optimized inclusion of additional information (including identifiers and identity assertions) through the delegation process END > The group is chartered to develop mechanisms for conveying identity information > within the protocol including identifiers […] and assertions > […] > The group is > not chartered to develop new formats for identifiers or assertions It would be good to add “existing” after “including”, for emphasis. |
2020-06-24
|
00-01 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2020-06-24
|
00-01 | Roman Danyliw | New version available: charter-ietf-gnap-00-01.txt |
2020-06-24
|
00-00 | Alvaro Retana | [Ballot comment] "...the group will attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol where possible." Should there be … [Ballot comment] "...the group will attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol where possible." Should there be explicit chartered work about it? It didn't seem to me that any of the proposed milestones covered migration, potential impact on existing operations, etc.. |
2020-06-24
|
00-00 | Alvaro Retana | Ballot comment text updated for Alvaro Retana |
2020-06-24
|
00-00 | Alvaro Retana | [Ballot comment] "...the group will attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol where possible." Should there be … [Ballot comment] "...the group will attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol where possible." Should there be explicit chartered work about it? It didn't seem to me that any of the proposed milestones covered migration, potential impact n the existing operation, etc.. |
2020-06-24
|
00-00 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2020-06-24
|
00-00 | Éric Vyncke | [Ballot comment] Some quick comments: - the charter itself is rather verbose, sometimes convoluted, and often directive (looking like the charter is about rubber stamping … [Ballot comment] Some quick comments: - the charter itself is rather verbose, sometimes convoluted, and often directive (looking like the charter is about rubber stamping existing work) - nits please expand "AS" before first use - missing milestones dates ? - should this new WG work with others? |
2020-06-24
|
00-00 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2020-06-23
|
00-00 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2020-06-16
|
00-00 | Martin Duke | [Ballot comment] s/HTTP/HTTPS |
2020-06-16
|
00-00 | Martin Duke | [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke |
2020-06-16
|
00-00 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2020-06-15
|
00-00 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
2020-06-11
|
00-00 | Cindy Morgan | Placed on agenda for telechat - 2020-06-25 |
2020-06-11
|
00-00 | Roman Danyliw | WG action text was changed |
2020-06-11
|
00-00 | Roman Danyliw | WG review text was changed |
2020-06-11
|
00-00 | Roman Danyliw | WG review text was changed |
2020-06-11
|
00-00 | Roman Danyliw | Created "Ready for external review" ballot |
2020-06-11
|
00-00 | Roman Danyliw | State changed to Start Chartering/Rechartering (Internal Steering Group/IAB Review) from Draft Charter |
2020-06-11
|
00-00 | Roman Danyliw | Initial review time expires 2020-06-18 |
2020-06-11
|
00-00 | Roman Danyliw | State changed to Draft Charter from Not currently under review |
2020-06-11
|
00-00 | Roman Danyliw | New version available: charter-ietf-gnap-00-00.txt |