Re: [oauth] Comment on charter
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 17 February 2009 08:36 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51B5F3A6899 for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 00:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.71
X-Spam-Level:
X-Spam-Status: No, score=-5.71 tagged_above=-999 required=5 tests=[AWL=0.889, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fv533tT1zAvL for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 00:36:00 -0800 (PST)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [217.115.75.233]) by core3.amsl.com (Postfix) with ESMTP id 0238D3A65A5 for <oauth@ietf.org>; Tue, 17 Feb 2009 00:35:59 -0800 (PST)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n1H8a6Mh005366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 17 Feb 2009 09:36:06 +0100
Received: from demuexc025.nsn-intra.net (demuexc025.nsn-intra.net [10.159.32.12]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n1H8a6HZ029801; Tue, 17 Feb 2009 09:36:06 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc025.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Feb 2009 09:36:05 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 17 Feb 2009 10:37:00 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B45010DB8C4@FIESEXC015.nsn-intra.net>
In-Reply-To: <ca722a9e0902061104l3314073bvc6f3e27863e8779d@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [oauth] Comment on charter
Thread-Index: AcmIjcuRbKyD2uB/TZWgYv1TFsGjFAITPYdA
References: <ca722a9e0902061104l3314073bvc6f3e27863e8779d@mail.gmail.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Lisa Dusseault <lisa.dusseault@gmail.com>, oauth@ietf.org
X-OriginalArrivalTime: 17 Feb 2009 08:36:05.0592 (UTC) FILETIME=[C5FFDD80:01C990DA]
Cc: gregory.ietf@gmail.com
Subject: Re: [oauth] Comment on charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 08:36:01 -0000
Thank you Greg for your input. I incorporated your comment into the charter text as it sounds good to me. Ciao Hannes ________________________________ From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of ext Lisa Dusseault Sent: 06 February, 2009 21:05 To: oauth@ietf.org Cc: gregory.ietf@gmail.com Subject: [oauth] Comment on charter Here's a comment on the charter, Greg told me this in person but I asked him to follow up on the list. He's not on the list, so please keep him on the cc' for this discussion: Oauth team, I think the work you are doing is meaningful and I hope to see it transition to WG soon. Here is a comment to your charter that I made from the mic at the last BoF, and which I hope to see included in the next version of the charter. From the charter: "The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon the OAuth I-D, that will: * Align OAuth with the Internet and Web architectures, best practices and terminology * Assure good security practice, or document gaps in its capabilities * Promote interoperability" Change second bullet to: "* Assure good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap." The reason: we have experienced in other places in IETF where documents with less-than-perfect security get hung up in Security Area review, and for good reason. We want secure protocols that use modern, best-practice secruity mechanisms. However, sometimes getting from today to that state of best-practice security mechanism is non-trivial, and will take standard and implementation work. We are learning over time that (1) documenting security gaps, combined with (2) a clear path to addressing gaps, and (3) work in progress to addressing gaps goes a long way to making less-than-best-security-practice specifications more acceptable. I.e. The charter change I propose is geared toward helping Oauth see the light of day more quickly, and have an incremental path toward best-practice security. Let me know what you think, Gregorry.
- Re: [oauth] Comment on charter Tschofenig, Hannes (NSN - FI/Espoo)
- [oauth] Comment on charter Lisa Dusseault
- Re: [oauth] Comment on charter Blaine Cook