[OAUTH-WG] OAuth Recharting
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 17 December 2015 15:59 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E0A1B2EF8 for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2015 07:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Wo4zOrb0WiE for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2015 07:59:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0604F1B2EFB for <oauth@ietf.org>; Thu, 17 Dec 2015 07:59:37 -0800 (PST)
Received: from [192.168.10.142] ([93.216.71.75]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MVMgI-1ZhUMI0VfK-00Ym4B for <oauth@ietf.org>; Thu, 17 Dec 2015 16:59:36 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <5672DBE7.30101@gmx.net>
Date: Thu, 17 Dec 2015 16:59:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="E7dEg9cBi8EV3vUqMQ87m9CWqVBh9SS22"
X-Provags-ID: V03:K0:N+gWDCCKcHoeKlhYwMGc05P1jIX88lSU1sqc3a1/a1/fU/Sodxn ay4B2Uva/LNbiENwPLvE+LJMF7Gp6+9up/tcZ45XhzcHz/G/VKsoCzL3x+/wMyTuvvUfeyy f3WramIz0EJPffXKBCGXKPJpLoMUYX0u+MLcvU+Yoag0DESpdK/jwPUdW29Ufr7kOwlwhvz DS4tbw1z7WqaXfkuWQwVQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:1PyIoq0e+jU=:6GnsHxjyW3COl2GsgL5HTS d52A+ZXz2T66CKx61Tqt82QXl5XrIbNNQXi8cfm6ng15McsC1g/jqFNUaKTFl3utL3Nk23rhs KEWvHVHUYhQzVFupHJZIFyY46O+KVemERJNv2220GBfcqPlN6KESnHeRVjBpoJQ8V7jXVtxHQ tXaxxiIdpXYVcDfL4cQULU5HMCl8XMTfqjKLAtqyFgzoe5hsUF8Rm98b3kC4JWmTe0tV2SGpR rW5HeDCcXXDrO8wPBtxOJCbrXuTlHEReRovcgtsjDP9Z8SU1qW6w+ZXX8Xy29SiekrZe3U1Ah g5wtnqJ1a1+beU1q+2aFcxme7j+dtftyNEY8+HRTB7i+zcTqvlMphSFqbt7YMoj5gs1Ng1GPU YuoOpWZEwoxtj2fmnaZwJdDOi+JwFTNBy3uATP/ZOK0ZTr+rV+ejU9UA9t6KNpWX+as3ijOUR oe6q/cbJbvoK9sIJjVixYBRUgEuf2kL9fYtQptq/3Bh4tanEWVqqLqX7culz2drRMgHLWsXTY jsiPBpWYtN3suJhO8H+/juRZuiAunEnrBxZfEL/3vsS9r+1o1LMVOqtaqgZNYLJZHrotgBll7 GMM9NLh6V0vHp0npedichINSAKDULhauRUuyxrjEaw5+QGEvCx38QpqdqAhVX30nz5A1I2+iN y1kiCuu16/7ASku63uf9Za5doRlk3+ykhVCiQSGN9neqnuHR3mlj5nWvfU3pEHrtyenDidFG1 3vAAauQLVfRJ2l+LOPzundlgCoqfmuH5R1MKkhNOTdLRlzGTqaXbMcq2NpM=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/5X8YdgrElP1pzftLF3fyxDDq0ec>
Subject: [OAUTH-WG] OAuth Recharting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:59:41 -0000
Hi all, at the last IETF meeting in Yokohama we had a rechartering discussion and below is proposed text for the new charter. Please take a look at it and tell me whether it appropriately covers the discussions from our last meeting. --------------- Charter Text The Web Authorization (OAuth) protocol allows a user to grant a third-party Web site or application access to the user's protected resources, without necessarily revealing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing Web site to print their private pictures, without allowing the printing site to gain full control of the user's account and without having the user share his or her photo-sharing sites' long-term credential with the printing site. The OAuth 2.0 protocol suite already includes * a procedure for enabling a client to register with an authorization server, * a protocol for obtaining authorization tokens from an authorization server with the resource owner's consent, and * protocols for presenting these authorization tokens to protected resources for access to a resource. This protocol suite has been enhanced with functionality for interworking with legacy identity infrastructure (e.g., SAML), token revocation, token exchange, dynamic client registration, token introspection, a standardized token format with the JSON Web Token, and specifications that mitigate security attacks, such as Proof Key for Code Exchange. The ongoing standardization efforts within the OAuth working group focus on increasing interoperability of OAuth deployments and to improve security. More specifically, the working group is defining proof of possession tokens, developing a discovery mechanism, providing guidance for the use of OAuth with native apps, re-introducing the device flow used by devices with limited user interfaces, additional security enhancements for clients communicating with multiple service providers, definition of claims used with JSON Web Tokens, techniques to mitigate open redirector attacks, as well as guidance on encoding state information. For feedback and discussion about our specifications please subscribe to our public mailing list. For security related bug reports that relate to our specifications please contact <<TBD>>. If the reported bug report turns out to be implementation-specific we will attempt to forward it to the appropriate developers. --------------- Ciao Hannes
- [OAUTH-WG] OAuth Recharting Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Recharting William Denniss
- Re: [OAUTH-WG] OAuth Recharting Kepeng Li
- Re: [OAUTH-WG] OAuth Recharting Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Recharting Hannes Tschofenig