[WG-UMA] Preparing for deciding dynamic registration issues

Christian Scholz cs at comlounge.net
Wed Jul 21 19:35:33 EDT 2010


Just FYI: I unfortunately cannot be on the call tomorrow as I am still
at the EuroPython conference.
Remarks below

Am 21.07.10 23:15, schrieb Eve Maler:
> In the agenda for tomorrow I included these items:
> Dynamic registration I-D (formatted
> <http://mrtopf.clprojects.net/uma/>, source
> <http://github.com/mrtopf/UMA-Specifications>)
>     * Aim to make final decisions in this meeting
>     * Push vs. pull vs. both vs. merged: What UMA-specific input (e.g.
>       around trusted claims) do we need to provide to help the OAuth
>       group decide?
>     * Section on pushing metadata directly: moved?
>     * New section on extensibility: written?
>     * Include proposal for solution for dynamic binding of user-agent
>       clients?
>     * Any other outstanding issues?
> Could those who have an opinion about the push/pull issue send a
> message to the list explaining their recommendation and rationale
> ahead of the call?  (In particular, I'm not sure I even understand how
> the two could be "merged",  as has been mentioned on the list
> previously...)
So I would prefer to have only one method in there for the following

- We do not have to decide when to use what and who needs to decide when
to use what, the client or server? Probably the server need to decide
that so there needs to be some mechanism to tell the client (probably
hostmeta). That means that the client needs to implement both methods.
So all in all it's more implementation work
- Having only one method is less implementation to do on both sides.
Push is in generall less work on both sides, too.
- Strong auth can be done with both methods I assume.

After the discussion last week (esp. with George) I would tend to favor
push slightly because

- it's easier to implement
- it has the same security issues if you don't sign it as pull as the
client can point the server to any URL it's supposed to read information
from. OTOH this needs to be presented to the user so the user might be
aware of this wrong information so I am not so sure about this anymore.
You can at least show the user "I got information x,y,z from URL" and
the user might decide if that is trustworthy. Maybe George can talk more
on this topic though.

As for merging: The client has to initiate the process anyway. Either it
sends all information or it only sends a URL. So it in fact starts with
a push. In pull you only have the information retrieval of the
information inbetween before the server sends the response with client
credentials. But even in push the server could choose to do that even if
it's not in the spec. So in fact these are very similar and only differ in:

- what the client initially sends
- what the server does before sending a response

But the flow is the same and only extended in the push case. It could be:

1. client sends client information or a URL (marked up in JSON or so)
2. server decides whether it has enough information and if not pulls the
information from the client website
3. server sends response with client credentials (or an error message)

> Also, could anyone who feels strongly about how to accommodate
> non-web-server clients in dynamic registration propose some text ahead
> of time?

Is there a difference in the process? The client can always initiate
requests and in the case it's not a web server it can point to a URL on
it's developer's website or so.



> Thanks!  (I still /hope/ to do a few typo-cleanup things to the draft
> sometime before the call...)
> Eve
> Eve Maler
> http://www.xmlgrrl.com/blog
> http://www.twitter.com/xmlgrrl
> http://www.linkedin.com/in/evemaler
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma

Christian Scholz                          Homepage: http://comlounge.net
COM.lounge GmbH                                    http://mrtopf.de/blog
Hanbrucher Str. 33                             http://twitter.com/mrtopf
52064 Aachen                                             Skype: HerrTopf
Tel: +49 241 400 730 0                                  cs at comlounge.net
Fax: +49 241 979 00 850                                      IRC: MrTopf

Der OpenWeb-Podcast (http://openwebpodcast.de)
Data Without Borders (http://datawithoutborders.net)
Politisches: http://politfunk.de/
Technical: http://comlounge.tv/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100722/a998a655/attachment.html 

More information about the WG-UMA mailing list