Thanks for the reply, Stephen. I'll try to find better interop-producing references where possible.



In some cases, however, the values are intentionally intended to provide an identifier for a family of closely-related methods, such as "otp", which covers both time-based and HMAC-based OTPs. Many relying parties will be content to know that an OTP has been used in addition to a password. The distinction between which kind of OTP was used is not useful to them. Thus, there's a single identifier that can be satisfied in two or more nearly equivalent ways. I consider this to be a feature - not a bug.



Similarly, there's a whole range of nuances between different fingerprint matching algorithms. They differ in false positive and false negative rates over different population samples and also differ based on the kind and model of fingerprint sensor used. Like the OTP case, many RPs will be content to know that a fingerprint match mas made, without delving into and differentiating based on every aspect of the implementation of fingerprint capture and match. Those that want more precision than this can always define new "amr" values. But "fpt" is fine as is for what I believe will be the 90+% case.



Ultimately, the RP is depending upon the Identity Provider to do reasonable things. If it didn't trust the IdP to do so, it has no business using it. The "amr" value lets the IdP signal to the RP additional information about what it did, for the cases in which that information is useful to the RP.



Reducing this to the point of absurdity, the RP would almost never care about the make, model, and serial number of the fingerprint reader or OTP. Values could be defined to provide that granularity. But making those fine-grained distinctions are not useful in practice.



Please consider the existing definitions in light of that reductio ad absurdum. The existing values only make distinctions that are known to be useful to RPs. Slicing things more finely than would be used in practice actually hurts interop, rather than helping it, because it would force all RPs to recognize that several or many different values actually mean the same thing to them.



-- Mike



-----Original Message-----
From: Stephen Farrell [mailto:***@cs.tcd.ie]
Sent: Monday, March 6, 2017 2:10 PM
To: Mike Jones <***@microsoft.com>; Anthony Nadalin <***@microsoft.com>; joel jaeggli <***@bogus.com>; The IESG <***@ietf.org>
Cc: oauth-***@ietf.org; draft-ietf-oauth-amr-***@ietf.org; ***@ietf.org
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)





Hi Mike,



Apologies - I updated the discuss ballot text [1] on Feb 28 but must've not sent it as an email or something. Anyway...



[1] https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/
So I do think there's still work to be done, may as well copy the new ballot text here:



"

I think we still have the problem that the values "defined" here (e.g. "fpt") are under specified to a significant degree. RFC4949 does not tell anyone how to achieve interop with "fpt" (nor any of the other cases where you refer to 4949 I think). There is therefore no utility in "defining" "fpt" as it will not achieve interop and in fact is more likely to cause confusion than interop. If the solution of actually defining the meaning of things like "fpt" is not achievable then perhaps it will be better to only define those for which we can get interop ("pwd" and one or two others) and leave the definition of the rest for later. (In saying that I do recall that one of the authors said that there are implementations that use some of these type-names, but the point of RFCs is not to "bless"

such things, but to achieve interop.)

"



Cheers,

S.
-----Original Message----- From: Stephen Farrell
for more information about IESG DISCUSS and COMMENT
---------------------------------------------------------------------
-