Re: [OAUTH-WG] OAuth WG Re-Chartering
Paul Madsen <paul.madsen@gmail.com> Thu, 15 March 2012 12:10 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A32F21F8692 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 05:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhWe6Jb+T5ta for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 05:10:42 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 5841721F8693 for <oauth@ietf.org>; Thu, 15 Mar 2012 05:10:41 -0700 (PDT)
Received: by wibhq7 with SMTP id hq7so3396754wib.13 for <oauth@ietf.org>; Thu, 15 Mar 2012 05:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=GqYJCNZeUmCbMfONxy46nAlmftKFZUj74xJKoxmIG/c=; b=o9IH+d+lskCNK1Mzr7ftddP9sTMEaCtCZ2fJiAqBRR6aNS+HHGdO0oa7oH5BGTuWnK zoHpcpyv/Zdyl5VIZoyrkYPPzk20mIWlZ5SpDW+JIj73YEMhTU/qdUBx4WXfM+/tBWDC k/+W9muYwJOt8h0WnybPJq045n2EYC3rAsQ2rZNVIPeiZX6QVSp5/Vo6czm1BpqMDmLV jDEoMF0IVlrdlSHi80Su1SsMkzNYyzH8hjf8mJhBgPhTB1oUidmhlc2p4U9cO9RGNc2R Ni8mTIoRhlrlF1nsQGwbbyWJmxkDgWoCi/amytsSCc4gr+mm/0TaGHOoZHO/bqKLLRSt 0YEg==
Received: by 10.50.185.201 with SMTP id fe9mr9014339igc.47.1331813434237; Thu, 15 Mar 2012 05:10:34 -0700 (PDT)
Received: from [192.168.2.22] (bas1-northbay04-2925117588.dsl.bell.ca. [174.89.192.148]) by mx.google.com with ESMTPS id mi10sm1760598igc.8.2012.03.15.05.10.32 (version=SSLv3 cipher=OTHER); Thu, 15 Mar 2012 05:10:33 -0700 (PDT)
Message-ID: <4F61DC37.6090508@gmail.com>
Date: Thu, 15 Mar 2012 08:10:31 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <B327D847-B059-41D7-A468-8B8A5DB8BFCE@gmx.net><2560E47E-655A-4048-AE5D-70EFF171D816@mitre.org> <4F61C5D6.40106@gmail.com> <999913AB42CC9341B05A99BBF358718D01382A8C@FIESEXC035.nsn-intra.net>
In-Reply-To: <999913AB42CC9341B05A99BBF358718D01382A8C@FIESEXC035.nsn-intra.net>
Content-Type: multipart/alternative; boundary="------------060907080000040002050104"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 12:10:43 -0000
Hi Hannes, happy to submit as ID once possible. Wrt the current 5, we want them all (and more) :-) but the following are data points for our prioritization 0) JWT is a given 1) we have implemented the SAML bearer token profile, somewhat deprioritizing for us in the immediate term the equivalent JWT profile (but not the long term) 2) customers are demanding programmatic client registration. For one customer, the use case is to allow clients to be added to our AS via an API management solution. The customer wants client developers to use the API management tool as the single touch point into their APIs - adding clients, being issued credentials etc As well, the TV Everywhere driven OATC spec (based on OAuth 2) has requirements for the same 3) as valuable as an informational use cases discussion will be, I'd hope it doesnt prevent us tackling normative work 4) wrt revocation, we definitely see use cases (enterprise employee is issued long lived refresh token for a mobile SaaS app, then gets fired and so enterprise needs to turn off the access) but can probably achieve the equivalent with a SCIM 'delete user' message paul On 3/15/12 7:12 AM, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > > Hi Paul, > > Interesting stuff. Thanks for sharing your draft writeup with us. > > Could you submit the document as Internet Draft when the submission > gates open again? > > The I-D submission tool will be reopened at 00h UTC, 2012-03-26. > > From the current list of items what do you consider less important? > > Ciao > > Hannes > > *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On > Behalf Of *ext Paul Madsen > *Sent:* Thursday, March 15, 2012 12:35 PM > *To:* Richer, Justin P. > *Cc:* oauth@ietf.org WG > *Subject:* Re: [OAUTH-WG] OAuth WG Re-Chartering > > +1 to defining RS-AS interactions. We've implemented such a 'token > introspection' endpoint in our AS and I'm be happy to no longer need > to explain to customers/partners why it's not part of the standard. > > As input, an (incomplete) spec for our endpoint enclosed. (we modeled > the verification as a new grant type, leveraging as much as possible > the existing token endpoint API) > > Wrt the 5 item limit > > 1) is this an arbitrary #? if people sign up to work on more items, > could it be extended? > 2) the use cases document seems already well progressed (and > informational). Need it count against the 5? > > paul > > On 3/14/12 5:53 PM, Richer, Justin P. wrote: > > Methods of connecting the PR to the AS are something that several groups have invented outside of the OAuth WG, and I think we should try to pull some of this work together. OAuth2 gives us a logical separation of the concerns but not a way to knit them back together. > > Proposals for inclusion in the discussion include UMA's Step 3, OpenID Connect's CheckID, and several "token introspection" endpoints in various implementations. > > -- Justin > > On Mar 14, 2012, at 4:21 PM, Hannes Tschofenig wrote: > > > So, here is a proposal: > > > > ------- > > > > Web Authorization Protocol (oauth) > > > > Description of Working Group > > > > The Web Authorization (OAuth) protocol allows a user to grant > > a third-party Web site or application access to the user's protected > > resources, without necessarily revealing their long-term credentials, > > or even their identity. For example, a photo-sharing site that supports > > OAuth could allow its users to use a third-party printing Web site to > > print their private pictures, without allowing the printing site to > > gain full control of the user's account and without having the user > > sharing his or her photo-sharing sites' long-term credential with the > > printing site. > > > > The OAuth protocol suite encompasses > > * a procedure for allowing a client to discover a resource server, > > * a protocol for obtaining authorization tokens from an authorization > > server with the resource owner's consent, > > * protocols for presenting these authorization tokens to protected > > resources for access to a resource, and > > * consequently for sharing data in a security and privacy respective way. > > > > In April 2010 the OAuth 1.0 specification, documenting pre-IETF work, > > was published as an informational document (RFC 5849). With the > > completion of OAuth 1.0 the working group started their work on OAuth 2.0 > > to incorporate implementation experience with version 1.0, additional > > use cases, and various other security, readability, and interoperability > > improvements. An extensive security analysis was conducted and the result > > is available as a stand-alone document offering guidance for audiences > > beyond the community of protocol implementers. > > > > The working group also developed security schemes for presenting authorization > > tokens to access a protected resource. This led to the publication of > > the bearer token as well as the message authentication code (MAC) access > > authentication specification. > > > > OAuth 2.0 added the ability to trade a SAML assertion against an OAUTH token with > > the SAML 2.0 bearer assertion profile. This offers interworking with existing > > identity management solutions, in particular SAML based deployments. > > > > OAuth has enjoyed widespread adoption by the Internet application service provider > > community. To build on this success we aim for nothing more than to make OAuth the > > authorization framework of choice for any Internet protocol. Consequently, the > > ongoing standardization effort within the OAuth working group is focused on > > enhancing interoperability of OAuth deployments. While the core OAuth specification > > truly is an important building block it relies on other specifications in order to > > claim completeness. Luckily, these components already exist and have been deployed > > on the Internet. Through the IETF standards process they will be improved in > > quality and will undergo a rigorous review process. > > > > Goals and Milestones > > > > [Editor's Note: Here are the completed items.] > > > > Done Submit 'OAuth 2.0 Threat Model and Security Considerations' as a working group item > > Done Submit 'HTTP Authentication: MAC Authentication' as a working group item > > Done Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for consideration as a Proposed Standard > > Done Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for consideration as a Proposed Standard > > > > [Editor's Note: Finishing existing work. Double-check the proposed dates - are they realistic?] > > > > Jun. 2012 Submit 'HTTP Authentication: MAC Authentication' to the IESG for consideration as a Proposed Standard > > Apr. 2012 Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard > > Apr. 2012 Submit 'OAuth 2.0 Assertion Profile' to the IESG for consideration as a Proposed Standard > > Apr. 2012 Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for consideration as a Proposed Standard > > May 2012 Submit 'OAuth 2.0 Threat Model and Security Considerations' to the IESG for consideration as an Informational RFC > > > > [Editor's Note: New work for the group. 5 items maximum! ] > > > > Aug. 2012 Submit 'Token Revocation' to the IESG for consideration as a Proposed Standard > > > > [Starting point for the work will behttp://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/] > > > > Nov. 2012 Submit 'JSON Web Token (JWT)' to the IESG for consideration as a Proposed Standard > > > > [Starting point for the work will behttp://tools.ietf.org/html/draft-jones-json-web-token] > > > > Nov. 2012 Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard > > > > [Starting point for the work will behttp://tools.ietf.org/html/draft-jones-oauth-jwt-bearer] > > > > Jan. 2013 Submit 'OAuth Dynamic Client Registration Protocol' to the IESG for consideration as a Proposed Standard > > > > [Starting point for the work will behttp://tools.ietf.org/html/draft-hardjono-oauth-dynreg] > > > > Sep. 2012 Submit 'OAuth Use Cases' to the IESG for consideration as an Informational RFC > > > > [Starting point for the work will behttp://tools.ietf.org/html/draft-zeltsan-oauth-use-cases] > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth WG Re-Chartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth WG Re-Chartering Igor Faynberg
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Anthony Nadalin
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Nat Sakimura
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Blaine Cook
- Re: [OAUTH-WG] OAuth WG Re-Chartering Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Richer, Justin P.
- Re: [OAUTH-WG] OAuth WG Re-Chartering Paul Madsen
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Blaine Cook
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering George Fletcher
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering George Fletcher
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Eran Hammer
- Re: [OAUTH-WG] OAuth WG Re-Chartering John Bradley
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt
- Re: [OAUTH-WG] OAuth WG Re-Chartering Mike Jones
- Re: [OAUTH-WG] OAuth WG Re-Chartering Justin Richer
- Re: [OAUTH-WG] OAuth WG Re-Chartering Phil Hunt