WG Review: Recharter of Open Authentication Protocol (oauth)

IESG Secretary <iesg-secretary@ietf.org> Tue, 31 May 2011 16:42 UTC

Return-Path: <wwwrun@ietfa.amsl.com>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 30) id 5C8BDE0789; Tue, 31 May 2011 09:42:35 -0700 (PDT)
From: IESG Secretary <iesg-secretary@ietf.org>
To: IETF Announcement list <ietf-announce@ietf.org>
Subject: WG Review: Recharter of Open Authentication Protocol (oauth)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20110531164235.5C8BDE0789@ietfa.amsl.com>
Date: Tue, 31 May 2011 09:42:35 -0700
Cc: romeda@gmail.com, barryleiba@computer.org, oauth@ietf.org
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: iesg@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2011 16:42:36 -0000

A modified charter has been submitted for the Open Authentication 
Protocol (oauth) working group in the Security Area of the IETF.  The 
IESG has not made any determination as yet.  The modified charter is 
provided below for informational purposes only.  Please send your 
comments to the IESG mailing list (iesg@ietf.org) by Tuesday, June 7, 

Web Authorization Protocol Working Group (oauth)
Last modified: 2011-05-11

Current Status: Active Working Group

Chairs: Barry Leiba <barryleiba@computer.org>
        Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
        Blaine Cook <romeda@gmail.com>
Area Director: Stephen Farrell <stephen.farrell@cs.tcd.ie>  
Tech Advisor: Peter Saint-Andre <stpeter@stpeter.im>

Mailing List Address: oauth@ietf.org  
To Subscribe: https://www.ietf.org/mailman/listinfo/oauth 
Archive: http://www.ietf.org/mail-archive/web/oauth/

Description of Working Group

The Web Authorization (OAuth) protocol allows a user to grant
a third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that supports
OAuth could allow its users to use a third-party printing Web site to
print their private pictures, without allowing the printing site to
gain full control of the user's account.

OAuth encompasses
* a mechanism for a user to authorize issuance of credentials that
 a third party can use to access resources on the user's behalf and
* a mechanism for using the issued credentials to authenticate
 HTTP requests.

In April 2010 the OAuth 1.0 specification, documenting pre-IETF work,
was published as an informational document (RFC 5849). The working
group has since been developing OAuth 2.0, a standards-track version
that will reflect IETF consensus.  Version 2.0 will consider the
implementation experience with version 1.0, a discovered security
vulnerability (session fixation attack), the use cases and
functionality proposed with OAuth WRAP [draft-hardt-oauth-01] and will
* improve the terminology used,
* consider broader use cases,
* embody good security practices,
* improve interoperability, and
* provide guidelines for extensibility.

The working group will develop authentication schemes for
peers/servers taking part in OAuth (accessing protected resources).
This includes

* an HMAC-based authentication mechanism

This document aims to provide a general purpose MAC authentication
scheme that can be used both with OAuth 2.0 but also with other use cases.
The WG will work with the security and applications area directors to
ensure that this work gets appropriate review, e.g. via additional last
calls in other relevant working groups such as HTTPBIS,

* a specification for access protected by Transport Layer Security
(bearer tokens),

* an extension to OAuth 2.0 to allow access tokens to be requested
when a client is in possession of a SAML assertion.

A separate informational description will be produced to provide
additional security analysis for audiences beyond the community
of protocol implementers.

Milestones will be added for the later items after the near-term work
has been completed.

Goals and Milestones
May 2011  Submit 'HTTP Authentication: MAC Authentication' as a
          working group item

May 2011  Submit 'OAuth 2.0 Threat Model and Security Considerations'
          as a working group item

Jul 2011  Submit 'The OAuth 2.0 Authorization Protocol' to the
          IESG for consideration as a Proposed Standard

Jul 2011  Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the
          IESG for consideration as a Proposed Standard

Aug 2011  Submit 'HTTP Authentication: MAC Authentication' to the
          IESG for consideration as a Proposed Standard

Oct 2011  Submit 'SAML 2.0 Bearer Assertion Grant Type Profile for
          OAuth 2.0' to the IESG for consideration as a Proposed 

Oct 2011  Re-chartering working group