draft-ietf-oauth-amr-values-04.txt   draft-ietf-oauth-amr-values-05.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: May 17, 2017 Oracle Expires: July 28, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
November 13, 2016 January 24, 2017
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-04 draft-ietf-oauth-amr-values-05
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 17, 2017. This Internet-Draft will expire on July 28, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 28 skipping to change at page 2, line 28
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Appendix C. Document History . . . . . . . . . . . . . . . . . . 12 Appendix C. Document History . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
skipping to change at page 6, line 41 skipping to change at page 6, line 41
6.1. Authentication Method Reference Values Registry 6.1. Authentication Method Reference Values Registry
This specification establishes the IANA "Authentication Method This specification establishes the IANA "Authentication Method
Reference Values" registry for "amr" claim array element values. The Reference Values" registry for "amr" claim array element values. The
registry records the Authentication Method Reference value and a registry records the Authentication Method Reference value and a
reference to the specification that defines it. This specification reference to the specification that defines it. This specification
registers the Authentication Method Reference values defined in registers the Authentication Method Reference values defined in
Section 2. Section 2.
To facilitate interoperability, the Designated Experts must either:
a. require that Authentication Method Reference values being
registered use only printable ASCII characters excluding double
quote ('"') and backslash ('\') (the Unicode characters with code
points U+0021, U+0023 through U+005B, and U+005D through U+007E),
or
b. if new Authentication Method Reference values are defined that
use other code points, require that their definitions specify the
exact Unicode code point sequences used to represent them.
Furthermore, proposed registrations that use Unicode code points
that can only be represented in JSON strings as escaped
characters must not be accepted.
Values are registered on an Expert Review [RFC5226] basis after a Values are registered on an Expert Review [RFC5226] basis after a
three-week review period on the jwt-reg-review@ietf.org mailing list, three-week review period on the jwt-reg-review@ietf.org mailing list,
on the advice of one or more Designated Experts. To increase on the advice of one or more Designated Experts. To increase
potential interoperability, the experts are requested to encourage potential interoperability, the experts are requested to encourage
registrants to provide the location of a publicly-accessible registrants to provide the location of a publicly-accessible
specification defining the values being registered, so that their specification defining the values being registered, so that their
intended usage can be more easily understood. intended usage can be more easily understood.
Registration requests sent to the mailing list for review should use Registration requests sent to the mailing list for review should use
an appropriate subject (e.g., "Request to register Authentication an appropriate subject (e.g., "Request to register Authentication
skipping to change at page 12, line 34 skipping to change at page 12, line 44
In other cases, the "amr" claim value returned may contain multiple In other cases, the "amr" claim value returned may contain multiple
Authentication Method Reference values. For example, the following Authentication Method Reference values. For example, the following
"amr" claim value indicates that the authentication performed used a "amr" claim value indicates that the authentication performed used a
password and knowledge-based authentication: password and knowledge-based authentication:
"amr": ["pwd", "kba"] "amr": ["pwd", "kba"]
Appendix B. Acknowledgements Appendix B. Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, James Manger, values. John Bradley, Brian Campbell, William Denniss, Linda Dunbar,
Nat Sakimura, and Mike Schwartz provided reviews of the Paul Kyzivat, Elaine Newton, James Manger, Catherine Meadows,
specification. Kathleen Moriarty, Nat Sakimura, and Mike Schwartz provided reviews
of the specification.
Appendix C. Document History Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-05
o Specified characters allowed in "amr" values, reusing the IANA
Considerations language on this topic from RFC 7638.
-04 -04
o Added examples with single and multiple values. o Added examples with single and multiple values.
o Clarified that the actual credentials referenced are not part of o Clarified that the actual credentials referenced are not part of
this specification to avoid additional privacy concerns for this specification to avoid additional privacy concerns for
biometric data. biometric data.
o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
applications using this specification. applications using this specification.
-03 -03
 End of changes. 9 change blocks. 
9 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/