Authentication Method Reference Values
draft-ietf-oauth-amr-values-08

[Ballot comment]

Thanks for clarifying that amr represents classes of auth methods and
not (always) individual methods, that all makes more sense now;-)

I think you might usefully add the phrase "classes of" (or similar) to
the draft in a few places to help folks understand that, in particular,
I spotted two places where I think something like that'd be good:

1. in the definition, I'd suggest:

OLD:

amr
      OPTIONAL.  Authentication Methods References.  JSON array of
      strings that are identifiers for authentication methods used in
      the authentication.

NEW:

amr
      OPTIONAL.  Authentication Methods References.  JSON array of
      strings that are identifiers for classes of authentication methods used in
      the authentication.

2. In the IANA considerations and DE guidance, maybe make the name
of the new registry reflect that these are classes, in case someone gets
confused only having looked at the IANA pages without reading the RFC,
and perhaps point the DE guidance back to the top bit where you explain
this stuff and add "classes of" in a few places in the template to save
the DEs having to explain that over and over to people who just copy
templates.

Thanks,
S.

[Ballot discuss]

I think we still have the problem that the values
"defined" here (e.g. "fpt") are under specified to a
significant degree. RFC4949 does not tell anyone
how to achieve interop with "fpt" (nor any of the
other cases where you refer to 4949 I think). There
is therefore no utility in "defining" "fpt" as it will
not achieve interop and in fact is more likely to
cause confusion than interop. If the solution of
actually defining the meaning of things like
"fpt" is not achievable then perhaps it will be
better to only define those for which we can get
interop ("pwd" and one or two others) and leave
the definition of the rest for later. (In saying that
I do recall that one of the authors said that there
are implementations that use some of these
type-names, but the point of RFCs is not to "bless"
such things, but to achieve interop.)

The version of the same point I made on the
previous revision of this draft is below, but IMO
still applies.

This specification seems to me to break it's own
rules. You state that registrations should include
a reference to a specification to improve interop.
And yet, for the strings added here (e.g. otp) you
don't do that (referring to section 2 will not
improve interop) and there are different ways in
which many of the methods in section 2 can be done.
So I think you need to add a bunch more references.

[Ballot discuss]
This is a fine document and I support its publication. However I have a small set of issues that I would like to discuss first.

Are non ASCII names needed? (This is a protocol element, not a human readable string, so non ASCII is not needed).

[Ballot comment]
Thanks for this useful document.

I plan to support its approval shortly, but I think we need to finish the discussion we had with Paul's Gen-ART review. I think I'm starting to agree with Mike, but this is worthwhile to point out to the IESG during our deliberations tomorrow.

(The issue is whether as per RFC 5226 one sends a request to a DE and he or she may send it to mailing list, or if IANA should send the request directly to a mailing list. But I think the language in draft-leiba-cotton-iana-5226bis is looser on this respect, as it probably should be. Or I thought the language is looser... but opinions seem to differ. Maybe we need to send mail to the authors of 5226bis to ask for clarification-)

[Ballot discuss]
This is a fine document and I support its publication. However I have a small set of issues that I would like to discuss first.

Are non ASCII names needed? (This is a protocol element, not a human readable string, so non ASCII is not needed). Are ASCII spaces allowed in names? More generally: what do you call printable character?

[Ballot comment]
In Section 6.1: suggestion to first describe IANA registration policy, then describe restrictions on registered names. Otherwise the current text doesn't flow well.

I am also agreeing with Stephen's DISCUSS.

[Ballot discuss]
Thanks for this useful document.

I plan to support its approval shortly, but I think we need to finish the discussion we had with Paul's Gen-ART review. I think I'm starting to agree with Mike, but this is worthwhile to point out to the IESG during our deliberations tomorrow.

(The issue is whether as per RFC 5226 one sends a request to a DE and he or she may send it to mailing list, or if IANA should send the request directly to a mailing list. But I think the language in draft-leiba-cotton-iana-5226bis is looser on this respect, as it probably should be.)

[Ballot comment]
In 6.1, the text seems to say experts must enforce one of two different standards for handling characters outside the non-printable ascii set. Is that the intent? That seems to invite inconsistent decisions from different experts. Would it make more sense to say that experts must make sure one of the two standards is met, rather than choosing which standard they want to follow?

[Ballot discuss]
This specification seems to me to break it's own
rules. You state that registrations should include
a reference to a specification to improve interop.
And yet, for the strings added here (e.g. otp) you
don't do that (referring to section 2 will not
improve interop) and there are different ways in
which many of the methods in section 2 can be done.
So I think you need to add a bunch more references.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-oauth-amr-values-04.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator has a question about one of the actions requested in the IANA Considerations section of this document.

The IANA Services Operator also understands that, upon approval of this document, there is a single action which we must complete.

A new registry is to be created called the Authentication Method Reference Values Registry.

IANA Services Operator Question --> Should this new registry be a standalone registry, or should it be grouped with, or perhaps a subregistry, of and existing registry?

We understand that the new registry is to be managed through Expert Review as defined in RFC5226. Section 6.1 of the current draft provides guidance to the Experts.

We also understand that there are initial values in the new registry as follows:

------+----------------------------------------+----------------+--------------+
Name Description Change Controller Reference |
------+----------------------------------------+----------------+--------------+
face | Facial recognition | IESG | [ RFC-to-be ]|
fpt | Fingerprint biometric | IESG | [ RFC-to-be ]|
geo | Geolocation | IESG | [ RFC-to-be ]|
hwk | Proof-of-possession of a | IESG | [ RFC-to-be ]|
| hardware-secured key | | |
iris | Iris scan biometric | IESG | [ RFC-to-be ]|
kba | Knowledge-based authentication | IESG | [ RFC-to-be ]|
mca | Multiple-channel authentication | IESG | [ RFC-to-be ]|
mfa | Multiple-factor authentication | IESG | [ RFC-to-be ]|
otp | One-time password | IESG | [ RFC-to-be ]|
pin | Personal Identification Number or | IESG | [ RFC-to-be ]|
| pattern | | |
pwd | Password-based authentication | IESG | [ RFC-to-be ]|
rba | Risk-based authentication | IESG | [ RFC-to-be ]|
retina| Retina scan biometric | IESG | [ RFC-to-be ]|
sc | Smart card | IESG | [ RFC-to-be ]|
sms | Confirmation using SMS | IESG | [ RFC-to-be ]|
swk | Proof-of-possession of a | IESG | [ RFC-to-be ]|
| software-secured key | | |
tel | Confirmation by telephone call | IESG | [ RFC-to-be ]|
user | User presence test | IESG | [ RFC-to-be ]|
vbm | Voice biometric | IESG | [ RFC-to-be ]|
wia | Windows integrated authentication | IESG | [ RFC-to-be ]|
------+----------------------------------------+----------------+--------------+

The IANA Services Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-oauth-amr-values@ietf.org, oauth@ietf.org, Kathleen.Moriarty.ietf@gmail.com, "Hannes Tschofenig" , Hannes.Tschofenig@gmx.net, oauth-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Authentication Method Reference Values) to Proposed Standard


The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'Authentication Method Reference Values'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-12-13. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The "amr" (Authentication Methods References) claim is defined and
  registered in the IANA "JSON Web Token Claims" registry but no
  standard Authentication Method Reference values are currently
  defined.  This specification establishes a registry for
  Authentication Method Reference values and defines an initial set of
  Authentication Method Reference values.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/


No IPR declarations have been submitted directly on this I-D.

Shepherd Write-Up for "Authentication Method Reference Values"


(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This specification is proposed as a 'Standards Track' document. The
type of RFC is indicated and the specification adds new values to the
"Authentication Method Reference Values" registry.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  The "amr" (Authentication Methods References) claim is defined and
  registered in the IANA "JSON Web Token Claims" registry but no
  standard Authentication Method Reference values are currently
  defined.  This specification establishes a registry for
  Authentication Method Reference values and defines an initial set of
  Authentication Method Reference values.

Working Group Summary

  The document defines values for an established registry. Due to the
  small scope of document the work was completed rather quickly.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

Implementations of the OpenID Mobile Authentication Profile,
which is defined by the MODRNA working group, use “amr” values.
This includes all the GSMA Mobile Connect deployments.

Microsoft Azure Active Directory and Microsoft Active Directory
Federation Services (ADFS) use “amr” values.

Google’s identity provider uses “amr” values.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Hannes Tschofenig is the document shepherd and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document shepherd was involved in the working group review process
and verified the document for correctness.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

There are no concerns regarding the document reviews.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

There are no specific reviews needed.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The document shepherd has no concerns with the document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The authors have confirmed full conformance with the provisions of BCP 78
and BCP 79:

M. Jones: https://www.ietf.org/mail-archive/web/oauth/current/msg16670.html
P. Hunt: https://www.ietf.org/mail-archive/web/oauth/current/msg16680.html
A. Nadalin: https://www.ietf.org/mail-archive/web/oauth/current/msg16681.html

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed for this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is solid consensus in the working group for publishing this
document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

Nobody threatened an appeal or expressed extreme discontent.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd checked the document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No formal review is needed.

(13) Have all references within this document been identified as
either normative or informative?

Yes. The references are split into normative and informative references.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

All normative references are copmleted documents.

(15) Are there downward normative references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

The following document is a non-IETF document that may require a downward
reference:

  [OpenID.Core]
              Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
              C. Mortimore, "OpenID Connect Core 1.0", November 2014,
              .

 
(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document does not change the status of an existing RFC.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

This document creates a new registry for Authentication Method Reference
(AMR) values and populates the registry with an initial set of values.

The IANA consideration section and the body are consistent. The IANA
consideration section provides details about the procedures and the
content.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

The new registry for Authentication Method Reference values requires
expert review. The OAuth working group is a natural place to find
such experts.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There is no formal syntax in the document.