Bill, I actually do not think that the security of either SCIM or this work is particularly challenging.
For SCIM I assume that there is a close relationship between the SCIM client and a SCIM server (as it is common in an enterprise or single administrative domain scenario). For the dynamic registration I assume that there is no relationship between the two in the worst case and therefore this turns into a leap of faith type of provisioning. I may be completely wrong here but that's the impression I have at the moment. In any case, these questions are something to deal with once we have started the work. At the moment we are still attempting to finalize the re-chartering. Ciao Hannes On Apr 14, 2012, at 7:01 PM, William Mills wrote: > Yeah, SCIM as a way to federate and distribute info like this seems sane, > with extensions for the data items we need here. The hard part is still > around the security stuff which they have not dealt with yet, and that's > going to be a blocker until it's solved. Authority to update elemnts or > namespaces is going to be needed, and that's a hard problem. > > -bill > > From: Eve Maler <[email protected]> > To: Hannes Tschofenig <[email protected]> > Cc: "[email protected] WG" <[email protected]> > Sent: Friday, April 13, 2012 6:29 PM > Subject: Re: [OAUTH-WG] Dynamic Client Registration > > Hi Hannes-- That's kind of a cool idea. You're right that it's a "client > account" of sorts. At least worth exploring, I'd say, unless a SCIM expert > pipes up with a reason why not. > > Eve > > On 13 Apr 2012, at 7:36 AM, Hannes Tschofenig wrote: > > > Hi all, > > > > at the IETF#83 OAuth working group meeting we had some confusion about the > > Dynamic Client Registration and the Simple Web Discovery item. I just > > listened to the audio recording again. > > > > With the ongoing mailing list discussion regarding WebFinger vs. Simple Web > > Discovery I hope that folks had a chance to look at the documents again and > > so the confusion of some got resolved. > > > > I believe the proposed new charter item is sufficiently clear with regard > > to the scope of the work. Right? > > Here is the item again: > > " > > Jul. 2013 Submit 'OAuth Dynamic Client Registration Protocol' to the IESG > > for consideration as a Proposed Standard > > > > [Starting point for the work will be > > http://tools.ietf.org/html/draft-hardjono-oauth-dynreg > > ] > > " > > > > Of course there there is a relationship between Simple Web Discovery (or > > WebFinger) and the dynamic client registration since the client first needs > > to discover the client registration endpoint at the authorization server > > before interacting with it. > > > > Now, one thing that just came to my mind when looking again at > > draft-hardjono-oauth-dynreq was the following: Could the Client > > Registration Request and Response protocol exchange could become a profile > > of the SCIM protocol? In some sense this exchange is nothing else than > > provisioning an account at the Authorization Server (along with some > > meta-data). > > > > Is this too far fetched? > > > > Ciao > > Hannes > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
