Re: WebRTC REF for OAUTH based TURN from Mészáros Mihály on 2018-03-14 (public-webrtc@w3.org from March 2018)

From: Mészáros Mihály <misi@odu.duckdns.org>
Date: Wed, 14 Mar 2018 16:05:21 +0100
To: Harald Alvestrand <harald@alvestrand.no>, Cullen Jennings <fluffy@iii.ca>, WebRTC WG <public-webrtc@w3.org>, RTCWeb IETF <rtcweb@ietf.org>
Message-ID: <ae24e25f-2656-9068-cebc-57cb66e984af@odu.duckdns.org>

2018-03-14 08:37 keltezéssel, Harald Alvestrand írta:
> Den 13. mars 2018 15:14, skrev Cullen Jennings:
>> From a dependency point of view, I would like to note that right now the WebRTC PC spec references
>>
>> * draft-ietf-oauth-pop-key-distribution
>>
>> Which rumor has it has been replaced by 
>>
>> * datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz
>>
>> Which normatively references the following:
>>
>> * draft-ietf-ace-cbor-web-token
>> * ietf-ace-cwt-proof-of-possession
>> * draft-ietf-ace-cbor-web-token
>> * draft-ietf-ace-cwt-proof-of-possession
>>
>> More discussion of this at https://github.com/w3c/webrtc-pc/issues/1642
>>
>> What needs to happen with all this so we can finish up the stuff WebRTC needs to reference from IETF ?
>>
>>
>>
>>
>>
> >From a WG product management point of view, I consider that this has not
> deployed, and is not likely to deploy in the present timeframe, given
> that no consensus specifiation has emerged.
>
> My suggestion would be to replace this text:
>
> An OAuth 2.0 based authentication method, as described in [RFC7635]. It
> uses the OAuth 2.0 Implicit Grant type, with PoP (Proof-of-Possession)
> Token type, as described in [RFC6749] and [OAUTH-POP-KEY-DISTRIBUTION].
>  .... rest of section ....
>
> with
>
>  An OAuth 2.0 based authentication method, as described in [RFC7635].
>
> The amount of detail currently in the webrtc-pc document is, to my mind,
> inappropriate for a W3C spec. If the IETF has failed to come up with a
> single "handle" by which all this detail  can be referenced, the IETF
> needs to solve that problem.
>
After the confusion around RTCIceCredential OAuth parameters in
WebRTC-PC, I just want to close the gap between W3C WebRTC-PC and IETF
RFC7635.
RFC7635 is complex and confusing without a guide.
My intention was to remove confusion and define an example guideline
howto use RFC7635 in WebRTC context, and put all this info into the
WebRTC-PC spec.

Now I see I went too far, and PC spec should step back and mention OAuth
PoP only as a possible way of the key distribution, but in other hand
the information in webrtc PC is inline with the RFC7635 example Appendix B.

Is it better to leave totally undefined howto use RFC7635 in WebRTC
context as Harald proposed?
I am not sure.

Misi

Received on Thursday, 15 March 2018 09:17:00 UTC