he would have appreciated that joke :)
", "time": "2023-11-07T14:33:22Z"}, {"author": "Brian Campbell", "text": "no
", "time": "2023-11-07T14:38:58Z"}, {"author": "Brian Campbell", "text": "sorry
", "time": "2023-11-07T14:38:59Z"}, {"author": "Brian Campbell", "text": "was trying to \"clap\" virtually
", "time": "2023-11-07T14:39:11Z"}, {"author": "Aaron Parecki", "text": "Hah that's one way to do it
", "time": "2023-11-07T14:40:44Z"}, {"author": "Rohan Mahy", "text": "The SPICE must flow!
\nhttps://www.youtube.com/watch?v=dcgft-iiZ_s
wow, that was not what i expected that video to be
", "time": "2023-11-07T14:47:01Z"}, {"author": "Richard Barnes", "text": "maybe we just need to rename the group to something other than OAUTH
", "time": "2023-11-07T14:47:13Z"}, {"author": "Kristina Yasuda", "text": "love your hat, Brian
", "time": "2023-11-07T14:48:17Z"}, {"author": "Richard Barnes", "text": "it does seem like there is a coherent body of work/expertise here, the only real question is how to describe it
", "time": "2023-11-07T14:48:47Z"}, {"author": "Denis PINKAS", "text": "OAuth is about delegation from a Resource Owner (RO); it is not about Authentication, nor Attribute-Based Access Control (ABAC). The 3 roles model (Holder - Issuer - Verifier) does not fit under the OAuth 2.X framework.
", "time": "2023-11-07T14:49:38Z"}, {"author": "Richard Barnes", "text": "Can we just declare some formal equivalence between JSON and CBOR so we can stop double-defining everything?
", "time": "2023-11-07T14:53:46Z"}, {"author": "Michael Jenkins", "text": "is not cms:asn.1::jose:json::cose:cbor? But how much do the communities overlap
", "time": "2023-11-07T14:55:10Z"}, {"author": "Richard Barnes", "text": "JOSE and COSE are closer than either to CMS.
", "time": "2023-11-07T14:56:24Z"}, {"author": "Daniel Fett", "text": "Richard Barnes said:
\n\n\nCan we just declare some formal equivalence between JSON and CBOR so we can stop double-defining everything?
\n
No, for the reasons I listed here: https://mailarchive.ietf.org/arch/msg/oauth/AGKBvNhWOe4g467QeLhyaJK2eos/
", "time": "2023-11-07T14:56:46Z"}, {"author": "Daniel Fett", "text": "(Well, we could do it, but it would lead to less-than-ideal solutions.)
", "time": "2023-11-07T14:57:07Z"}, {"author": "Richard Barnes", "text": "Full employment program for standards professionals, i guess
", "time": "2023-11-07T14:57:09Z"}, {"author": "Rohan Mahy", "text": "Why wouldn't SPICE take both SD-JWT and SD_CWT for example?
", "time": "2023-11-07T14:59:19Z"}, {"author": "Richard Barnes", "text": "@Rohan - that's what i was thinking
", "time": "2023-11-07T14:59:31Z"}, {"author": "Richard Barnes", "text": "or at least SD-JWT-VC
", "time": "2023-11-07T14:59:46Z"}, {"author": "Richard Barnes", "text": "and SD-CWT-VC
", "time": "2023-11-07T14:59:51Z"}, {"author": "Jacques Latour", "text": "also a newbie here; where would this internet draft fit? it's not DANE/DANCE... this is bridging web creds to DNS...
\nhttps://datatracker.ietf.org/doc/draft-latour-dns-and-digital-trust/
but also, don't pause SD-JWT-VC pending this discussion
", "time": "2023-11-07T15:00:05Z"}, {"author": "Justin Richer", "text": "Rohan, I agree with that split
", "time": "2023-11-07T15:00:17Z"}, {"author": "Richard Barnes", "text": "@Jacques - that question is ideal for the SECDISPATCH maling list
", "time": "2023-11-07T15:00:30Z"}, {"author": "Jacques Latour", "text": "send me an email; jacques.latour@cira.ca
", "time": "2023-11-07T15:01:08Z"}, {"author": "John Andersen", "text": "Does anyone know who just came up to the mic to talk about TEEs workload auth?
", "time": "2023-11-07T15:04:52Z"}, {"author": "Rohan Mahy", "text": "@Justin Richer sorry, I didn't understand. You think SPICE should only take the COSE 3-party work, or you think it should take COSE and JOSE 3-party?
", "time": "2023-11-07T15:06:16Z"}, {"author": "Denis PINKAS", "text": "Trusted Applications (TAs) and TEEs (Trusted Execution Environments) should indeed be part of the whole picture.
", "time": "2023-11-07T15:06:47Z"}, {"author": "Richard Barnes", "text": "Rename OAuth to the \"JWT Clubhouse\"
", "time": "2023-11-07T15:08:43Z"}, {"author": "Kristina Yasuda", "text": "really like roman's suggestion to clarify that oauth wg: 1/ maintains oauth protocol and it's extensions; 2/works on JWT related stuff.
", "time": "2023-11-07T15:09:01Z"}, {"author": "Kristina Yasuda", "text": "I kind of disagree sd-jwt would have belonged to spice if it existed when we drafted it...
", "time": "2023-11-07T15:09:40Z"}, {"author": "Denis PINKAS", "text": "If the work on SD-JWT continues in the OAuth WG , we should first define a \"Three roles framework\" .
", "time": "2023-11-07T15:09:54Z"}, {"author": "Jacques Latour", "text": "would something like this be in scope of JWT? https://www.w3.org/TR/vc-data-model/
", "time": "2023-11-07T15:10:12Z"}, {"author": "Kristina Yasuda", "text": "sd-jwt itself has no binding to the three party model. sd-jwt vc is what is bound to three party model
", "time": "2023-11-07T15:10:21Z"}, {"author": "Richard Barnes", "text": "@Kristina - I would agree with you except for the key binding part
", "time": "2023-11-07T15:10:58Z"}, {"author": "Denis PINKAS", "text": "@Kristina
\nThe 3 roles model (Holder - Issuer - Verifier) is not a three parties model.
personally +1 to splitting between \"work related to RFC6749\" and \"three-parties model\"
", "time": "2023-11-07T15:12:51Z"}, {"author": "Jacques Latour", "text": "@Denis, there's a 4th role, the \"trust registry\"
", "time": "2023-11-07T15:13:20Z"}, {"author": "Rohan Mahy", "text": "FYI @Roman Danyliw JWT was adopted in oauth in May 2012, while JOSE adopted new work in Dec 2014 and didn't close until 2016. Mike's explanation makes sense that it was about the people.
", "time": "2023-11-07T15:13:29Z"}, {"author": "Richard Barnes", "text": "@Jacques - Please don't make things more complicated than they need to be :)
", "time": "2023-11-07T15:13:44Z"}, {"author": "Denis PINKAS", "text": "@Jacques
\nThe W3C VCDM is only a data model with no protocol defined.
Kristina Yasuda said:
\n\n\nsd-jwt itself has no binding to the three party model. sd-jwt vc is what is bound to three party model
\n
I can see that you could use it in other use cases, but do you have an existence proof for anyone who plans to use it in a 2-party (or some other) environment?
", "time": "2023-11-07T15:15:20Z"}, {"author": "Denis PINKAS", "text": "@Jacques
\nThere are many more entities involved in the 3 roles model (i.e., Holder - Issuer - Verifier). e.g. TAs and TEEs and mobile phone manufacturers.
Rohan Mahy said:
\n\n\nFYI Roman Danyliw JWT was adopted in oauth in May 2012, while JOSE adopted new work in Dec 2014 and didn't close until 2016. Mike's explanation makes sense that it was about the people.
\n
Understood. I thought we were talking about CWT adoption and why it wasn't done in JOSE.
", "time": "2023-11-07T15:18:10Z"}, {"author": "Jonathan Hoyland", "text": "Did someone say formal methods?
", "time": "2023-11-07T15:28:35Z"}, {"author": "Richard Barnes", "text": "Hoyland Hoyland Hoyland!
", "time": "2023-11-07T15:29:08Z"}, {"author": "Jonathan Hoyland", "text": "\"Formally analysing would be extremely boring\" ouch
", "time": "2023-11-07T15:29:28Z"}, {"author": "Richard Barnes", "text": "sometimes small boring models are the best models
", "time": "2023-11-07T15:29:44Z"}, {"author": "Richard Barnes", "text": "Oh I forgot to say -- I noted a couple minor things that i will get filed soon
", "time": "2023-11-07T15:30:01Z"}, {"author": "Richard Barnes", "text": "Actually, it might not be a bad idea to have a reference impl in the spec repo
", "time": "2023-11-07T15:30:27Z"}, {"author": "Richard Barnes", "text": "we did that in SFrame and it has been helpful (though easier there bc it's symmetric crypto)
", "time": "2023-11-07T15:30:44Z"}, {"author": "Jonathan Hoyland", "text": "Also, can I just comment that you can make models as complex and exciting as you like, although that's usually an antigoal
", "time": "2023-11-07T15:30:53Z"}]