Re: [oauth] Updated Charter Text
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Wed, 18 February 2009 13:46 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D1B43A6A11 for <oauth@core3.amsl.com>; Wed, 18 Feb 2009 05:46:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.474
X-Spam-Level:
X-Spam-Status: No, score=-3.474 tagged_above=-999 required=5 tests=[AWL=-0.875, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VriVdYMTsIWl for <oauth@core3.amsl.com>; Wed, 18 Feb 2009 05:46:43 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [217.115.75.234]) by core3.amsl.com (Postfix) with ESMTP id 13B733A6C66 for <oauth@ietf.org>; Wed, 18 Feb 2009 05:46:42 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n1IDkrIN014561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 18 Feb 2009 14:46:53 +0100
Received: from demuexc024.nsn-intra.net (demuexc024.nsn-intra.net [10.159.32.11]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n1IDkqe1013568; Wed, 18 Feb 2009 14:46:52 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc024.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 18 Feb 2009 14:46:52 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 18 Feb 2009 15:47:48 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4501103309@FIESEXC015.nsn-intra.net>
In-Reply-To: <499BEC9E.10704@cs.tcd.ie>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [oauth] Updated Charter Text
Thread-Index: AcmRuRcY9A3k20maTNy9qcUC7OC1EAAFdQMg
References: <3D3C75174CB95F42AD6BCC56E5555B4501102F3B@FIESEXC015.nsn-intra.net> <499BEC9E.10704@cs.tcd.ie>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-OriginalArrivalTime: 18 Feb 2009 13:46:52.0781 (UTC) FILETIME=[5B00D9D0:01C991CF]
Cc: oauth@ietf.org
Subject: Re: [oauth] Updated Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2009 13:46:44 -0000
Hi Stephen, you are a tough negotiator :-) I think Blaine tried to capture it with the following bullet: " * Alternate token exchange profiles. " Would adding something like the sentence below make you happier? " For example, profiles that take challenged devices and aggregators into account allowing for the client to directly acquire an access token from a set of credentials. " Ciao Hannes >-----Original Message----- >From: ext Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] >Sent: 18 February, 2009 13:10 >To: Tschofenig, Hannes (NSN - FI/Espoo) >Cc: oauth@ietf.org >Subject: Re: [oauth] Updated Charter Text > > >Hate to keep banging the same drum, but I don't see how the >mobile use case is included there, so I'd still suggest the >addition below. (Other than that this charter is fine by me.) > >While I would like there to be a milestone associated with >that, I'm ok if that's done later, so haven't suggested one. >(If asked, I'd go for WGLC on a mobile draft 3-6 months after >the WGLC starts on the base spec.) > >Stephen. > >Tschofenig, Hannes (NSN - FI/Espoo) wrote: >> Based on the feedback I have compiled another version of the charter >> text. >> >> ------------------------------------------ >> >> Open Authentication Protocol (oauth) >> >> Last Modified: 2009-01-30 >> >> Chair(s): >> >> TBD >> >> Applications Area Director(s): >> >> Chris Newman <chris.newman@sun.com> >> Lisa Dusseault <lisa@osafoundation.org> >> >> Applications Area Advisor: >> >> TBD >> >> Mailing Lists: >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> Description of Working Group: >> >> OAuth allows a user to grant a third-party Web site or application >> access to their resources, without necessarily revealing their >> credentials, or even their identity. For example, a photo-sharing >> site that supports OAuth would allow its users to use a third-party >> printing Web site to access their private pictures, without gaining >> full control of the user account. >> >> OAuth consists of: >> * A mechanism for exchanging a user's credentials for a >token-secret >> pair which can be used by a third party to access resources on their >> behalf. >> * A mechanism for signing HTTP requests with the token-secret pair. >> >> The Working Group will produce one or more documents suitable for >> consideration as Proposed Standard, based upon >> draft-hammer-oauth-00.txt, that will: >> * Improve the terminology used. >> * Embody good security practice, or document gaps in its >> capabilities, and propose a path forward for addressing the gap. >> * Promote interoperability. >> * Provide guidelines for extensibility. >> >> This specifically means that as a starting point for the >working group >> OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available >> extension points are going to be utilized. The WG will >profile OAuth >> 1.0 in a way that produces a specification that is a backwards >> compatible profile, i.e. any OAuth 1.0 and the >specification produced >> by this group must support a basic set of features to guarantee >> interoperability. >> >> Furthermore, OAuth 1.0 defines three signature methods used >to protect >> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will >> work on new signature methods and will describe the >environments where >> new security requirements justify their usage. Existing signature >> methods will not be modified but may be dropped as part of the >> backwards compatible profiling activity. The applicability >of existing >> and new signature methods to protocols other than HTTP will >be investigated. >> >> The Working Group should consider: >> * Implementer experience. >> * The end-user experience, including internationalization >> * Existing uses of OAuth. >> * Ability to achieve broad impementation. >> * Ability to address broader use cases than may be contemplated by >> the original authors. >> >> The Working Group is not tasked with defining a generally applicable >> HTTP Authentication mechanism (i.e., browser-based "2-leg" >scenerio), >> and should consider this work out of scope in its discussions. >> However, if the deliverables are able to be factored in such a way >> that this is a byproduct, or such a scenario could be addressed by >> additional future work, the Working Group may choose to do so. > >After delivering OAuth, the WG will, if necessary, develop an >oauth extension suited for use on challenged devices and by >aggregators that allows for the client to directly acquire an >access token from a set of credentials. One such scheme is >defined in draft-dehora-farrell-oauth-accesstoken-creds. > > >> After delivering OAuth, the Working Group may consider defining >> additional functions and/or extensions, for example (but not limited >> to): >> * Discovery of OAuth configuration. >> * Comprehensive message integrity. >> * Recommendations regarding the structure of the token. >> * Localization. >> * Session-oriented tokens. >> * Alternate token exchange profiles. >> >> Goals and Milestones: >> >> Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as >> working group item >> (draft-hammer-oauth will be used as a starting point for >> further work.) >> Jul 2009 Start of discussion about OAuth extensions the >group should >> work on >> Oct 2009 Start Working Group Last Call on 'OAuth: HTTP >Authorization >> Delegation Protocol' >> Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to >> the IESG for consideration as a Proposed Standard >> Nov 2009 Prepare milestone update to start new work >within the scope >> of the charter >> >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [oauth] Updated Charter Text Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Updated Charter Text Stephen Farrell
- Re: [oauth] Updated Charter Text Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Updated Charter Text Blaine Cook
- Re: [oauth] Updated Charter Text Stephen Farrell
- Re: [oauth] Updated Charter Text Blaine Cook
- Re: [oauth] Updated Charter Text Stephen Farrell