Re: WebRTC REF for OAUTH based TURN

Den 14. mars 2018 16:05, skrev Mészáros Mihály:
> 
> 
> 2018-03-14 08:37 keltezéssel, Harald Alvestrand írta:
>> Den 13. mars 2018 15:14, skrev Cullen Jennings:
>>> From a dependency point of view, I would like to note that right now the WebRTC PC spec references
>>>
>>> * draft-ietf-oauth-pop-key-distribution
>>>
>>> Which rumor has it has been replaced by 
>>>
>>> * datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz
>>>
>>> Which normatively references the following:
>>>
>>> * draft-ietf-ace-cbor-web-token
>>> * ietf-ace-cwt-proof-of-possession
>>> * draft-ietf-ace-cbor-web-token
>>> * draft-ietf-ace-cwt-proof-of-possession
>>>
>>> More discussion of this at https://github.com/w3c/webrtc-pc/issues/1642
>>>
>>> What needs to happen with all this so we can finish up the stuff WebRTC needs to reference from IETF ?
>>>
>>>
>>>
>>>
>>>
>> >From a WG product management point of view, I consider that this has not
>> deployed, and is not likely to deploy in the present timeframe, given
>> that no consensus specifiation has emerged.
>>
>> My suggestion would be to replace this text:
>>
>> An OAuth 2.0 based authentication method, as described in [RFC7635]. It
>> uses the OAuth 2.0 Implicit Grant type, with PoP (Proof-of-Possession)
>> Token type, as described in [RFC6749] and [OAUTH-POP-KEY-DISTRIBUTION].
>>  .... rest of section ....
>>
>> with
>>
>>  An OAuth 2.0 based authentication method, as described in [RFC7635].
>>
>> The amount of detail currently in the webrtc-pc document is, to my mind,
>> inappropriate for a W3C spec. If the IETF has failed to come up with a
>> single "handle" by which all this detail  can be referenced, the IETF
>> needs to solve that problem.
>>
> After the confusion around RTCIceCredential OAuth parameters in
> WebRTC-PC, I just want to close the gap between W3C WebRTC-PC and IETF
> RFC7635.
> RFC7635 is complex and confusing without a guide.
> My intention was to remove confusion and define an example guideline
> howto use RFC7635 in WebRTC context, and put all this info into the
> WebRTC-PC spec.
> 
> Now I see I went too far, and PC spec should step back and mention OAuth
> PoP only as a possible way of the key distribution, but in other hand
> the information in webrtc PC is inline with the RFC7635 example Appendix B.
> 
> Is it better to leave totally undefined howto use RFC7635 in WebRTC
> context as Harald proposed?
> I am not sure.

I think it would be better to publish an IETF document that describes
"one clear way to do it", and see if we can get interoperable
implementations of that. Then we can insert a reference to that in the
WebRTC spec when it's ready.

The current text is unimplementable because it refers to documents that
don't exist (formally) any more, which is an untenable situation.

Harald

Received on Wednesday, 14 March 2018 16:47:25 UTC