IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth WG Re-Chartering

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Thu, 15 March 2012 09:10 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E3B21F84E7 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.412
X-Spam-Level:
X-Spam-Status: No, score=-106.412 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eMgzNXZx2BTo for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:10:37 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA1121F84B9 for <oauth@ietf.org>; Thu, 15 Mar 2012 02:10:36 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q2F9AYDD019393 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Mar 2012 10:10:34 +0100
Received: from DEMUEXC048.nsn-intra.net ([10.159.32.94]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q2F9ALPf029263; Thu, 15 Mar 2012 10:10:34 +0100
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by DEMUEXC048.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 15 Mar 2012 10:10:31 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CD028B.77AA6497"
Date: Thu, 15 Mar 2012 11:10:28 +0200
Message-ID: <999913AB42CC9341B05A99BBF358718D01382982@FIESEXC035.nsn-intra.net>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436641D81E@TK5EX14MBXC284.redmond.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] OAuth WG Re-Chartering
Thread-Index: AQHNAiAMCRIf4APwgUm5DSot8V56SZZqRR3KgADM87A=
References: <B327D847-B059-41D7-A468-8B8A5DB8BFCE@gmx.net> <4E1F6AAD24975D4BA5B16804296739436641D81E@TK5EX14MBXC284.redmond.corp.microsoft.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, oauth@ietf.org
X-OriginalArrivalTime: 15 Mar 2012 09:10:31.0153 (UTC) FILETIME=[78A6F610:01CD028B]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 22305
X-purgate-ID: 151667::1331802634-000044A2-045412D3/0-0/0-0
Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 09:10:41 -0000

Hi Mike, 

 

The comment I sent to Nat applies here too. Something else has to be
dropped if we add another items. 

 

To respond to Eran's remark I will talk to the APPs ADs to figure out
whether OAuth is the right place to do this work. There are various
considerations that matter, including 

*        In which group is the interested audience? 

*        Where is the expertise?

*        Is there a natural place the work belongs to? 

 

Ciao
Hannes

 

 

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
Of ext Mike Jones
Sent: Wednesday, March 14, 2012 10:55 PM
To: Hannes Tschofenig; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] OAuth WG Re-Chartering

 

This is missing Simple Web Discovery, which there was substantial
support for including during the rechartering discussion in Taipei.
Considering OpenID Connect as a motivating use case for OAuth, SWD is
the one spec that would then be missing for this OAuth use case.

Please add it to the list.

Thanks,
-- Mike

________________________________

From: Hannes Tschofenig
Sent: 3/14/2012 1:21 PM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] OAuth WG Re-Chartering

So, here is a proposal:

-------

Web Authorization Protocol (oauth)

Description of Working Group

The Web Authorization (OAuth) protocol allows a user to grant
a third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that supports
OAuth could allow its users to use a third-party printing Web site to
print their private pictures, without allowing the printing site to
gain full control of the user's account and without having the user 
sharing his or her photo-sharing sites' long-term credential with the 
printing site. 

The OAuth protocol suite encompasses
* a procedure for allowing a client to discover a resource server, 
* a protocol for obtaining authorization tokens from an authorization 
server with the resource owner's consent, 
* protocols for presenting these authorization tokens to protected 
resources for access to a resource, and 
* consequently for sharing data in a security and privacy respective
way.

In April 2010 the OAuth 1.0 specification, documenting pre-IETF work,
was published as an informational document (RFC 5849). With the 
completion of OAuth 1.0 the working group started their work on OAuth
2.0
to incorporate implementation experience with version 1.0, additional
use cases, and various other security, readability, and interoperability
improvements. An extensive security analysis was conducted and the
result 
is available as a stand-alone document offering guidance for audiences 
beyond the community of protocol implementers.

The working group also developed security schemes for presenting
authorization
tokens to access a protected resource. This led to the publication of
the bearer token as well as the message authentication code (MAC) access

authentication specification. 

OAuth 2.0 added the ability to trade a SAML assertion against an OAUTH
token with 
the SAML 2.0 bearer assertion profile.  This offers interworking with
existing 
identity management solutions, in particular SAML based deployments.

OAuth has enjoyed widespread adoption by the Internet application
service provider 
community. To build on this success we aim for nothing more than to make
OAuth the 
authorization framework of choice for any Internet protocol.
Consequently, the 
ongoing standardization effort within the OAuth working group is focused
on 
enhancing interoperability of OAuth deployments. While the core OAuth
specification 
truly is an important building block it relies on other specifications
in order to 
claim completeness. Luckily, these components already exist and have
been deployed 
on the Internet. Through the IETF standards process they will be
improved in 
quality and will undergo a rigorous review process. 

Goals and Milestones

[Editor's Note: Here are the completed items.] 

Done     Submit 'OAuth 2.0 Threat Model and Security Considerations' as
a working group item
Done     Submit 'HTTP Authentication: MAC Authentication' as a working
group item
Done     Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for
consideration as a Proposed Standard
Done     Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for
consideration as a Proposed Standard

[Editor's Note: Finishing existing work. Double-check the proposed dates
- are they realistic?] 

Jun. 2012        Submit 'HTTP Authentication: MAC Authentication' to the
IESG for consideration as a Proposed Standard
Apr. 2012        Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth
2.0' to the IESG for consideration as a Proposed Standard
Apr. 2012  Submit 'OAuth 2.0 Assertion Profile' to the IESG for
consideration as a Proposed Standard 
Apr. 2012  Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for
consideration as a Proposed Standard 
May 2012    Submit 'OAuth 2.0 Threat Model and Security Considerations'
to the IESG for consideration as an Informational RFC

[Editor's Note: New work for the group. 5 items maximum! ]

Aug. 2012    Submit 'Token Revocation' to the IESG for consideration as
a Proposed Standard

[Starting point for the work will be
http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/]

Nov. 2012    Submit 'JSON Web Token (JWT)' to the IESG for consideration
as a Proposed Standard

[Starting point for the work will be
http://tools.ietf.org/html/draft-jones-json-web-token]

Nov. 2012    Submit 'JSON Web Token (JWT) Bearer Token Profiles for
OAuth 2.0' to the IESG for consideration as a Proposed Standard

[Starting point for the work will be
http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer]

Jan. 2013    Submit 'OAuth Dynamic Client Registration Protocol' to the
IESG for consideration as a Proposed Standard

[Starting point for the work will be
http://tools.ietf.org/html/draft-hardjono-oauth-dynreg] 

Sep. 2012    Submit 'OAuth Use Cases' to the IESG for consideration as
an Informational RFC

[Starting point for the work will be
http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases] 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email