[OAUTH-WG] OAuth Recharting

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 17 December 2015 15:59 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 95E0A1B2EF8 for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2015 07:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5Wo4zOrb0WiE for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2015 07:59:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0604F1B2EFB for <oauth@ietf.org>; Thu, 17 Dec 2015 07:59:37 -0800 (PST)
Received: from [] ([]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MVMgI-1ZhUMI0VfK-00Ym4B for <oauth@ietf.org>; Thu, 17 Dec 2015 16:59:36 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <5672DBE7.30101@gmx.net>
Date: Thu, 17 Dec 2015 16:59:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="E7dEg9cBi8EV3vUqMQ87m9CWqVBh9SS22"
X-Provags-ID: V03:K0:N+gWDCCKcHoeKlhYwMGc05P1jIX88lSU1sqc3a1/a1/fU/Sodxn ay4B2Uva/LNbiENwPLvE+LJMF7Gp6+9up/tcZ45XhzcHz/G/VKsoCzL3x+/wMyTuvvUfeyy f3WramIz0EJPffXKBCGXKPJpLoMUYX0u+MLcvU+Yoag0DESpdK/jwPUdW29Ufr7kOwlwhvz DS4tbw1z7WqaXfkuWQwVQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:1PyIoq0e+jU=:6GnsHxjyW3COl2GsgL5HTS d52A+ZXz2T66CKx61Tqt82QXl5XrIbNNQXi8cfm6ng15McsC1g/jqFNUaKTFl3utL3Nk23rhs KEWvHVHUYhQzVFupHJZIFyY46O+KVemERJNv2220GBfcqPlN6KESnHeRVjBpoJQ8V7jXVtxHQ tXaxxiIdpXYVcDfL4cQULU5HMCl8XMTfqjKLAtqyFgzoe5hsUF8Rm98b3kC4JWmTe0tV2SGpR rW5HeDCcXXDrO8wPBtxOJCbrXuTlHEReRovcgtsjDP9Z8SU1qW6w+ZXX8Xy29SiekrZe3U1Ah g5wtnqJ1a1+beU1q+2aFcxme7j+dtftyNEY8+HRTB7i+zcTqvlMphSFqbt7YMoj5gs1Ng1GPU YuoOpWZEwoxtj2fmnaZwJdDOi+JwFTNBy3uATP/ZOK0ZTr+rV+ejU9UA9t6KNpWX+as3ijOUR oe6q/cbJbvoK9sIJjVixYBRUgEuf2kL9fYtQptq/3Bh4tanEWVqqLqX7culz2drRMgHLWsXTY jsiPBpWYtN3suJhO8H+/juRZuiAunEnrBxZfEL/3vsS9r+1o1LMVOqtaqgZNYLJZHrotgBll7 GMM9NLh6V0vHp0npedichINSAKDULhauRUuyxrjEaw5+QGEvCx38QpqdqAhVX30nz5A1I2+iN y1kiCuu16/7ASku63uf9Za5doRlk3+ykhVCiQSGN9neqnuHR3mlj5nWvfU3pEHrtyenDidFG1 3vAAauQLVfRJ2l+LOPzundlgCoqfmuH5R1MKkhNOTdLRlzGTqaXbMcq2NpM=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/5X8YdgrElP1pzftLF3fyxDDq0ec>
Subject: [OAUTH-WG] OAuth Recharting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:59:41 -0000

Hi all,

at the last IETF meeting in Yokohama we had a rechartering discussion
and below is proposed text for the new charter. Please take a look at it
and tell me whether it appropriately covers the discussions from our
last meeting.


Charter Text

The Web Authorization (OAuth) protocol allows a user to grant a
third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing Web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth 2.0 protocol suite already includes

* a procedure for enabling a client to register with an authorization
* a protocol for obtaining authorization tokens from an authorization
server with the resource owner's consent, and
* protocols for presenting these authorization tokens to protected
resources for access to a resource.

This protocol suite has been enhanced with functionality for
interworking with legacy identity infrastructure (e.g., SAML), token
revocation, token exchange, dynamic client registration, token
introspection, a standardized token format with the JSON Web Token, and
specifications that mitigate security attacks, such as Proof Key for
Code Exchange.

The ongoing standardization efforts within the OAuth working group
focus on increasing interoperability of OAuth deployments and to
improve security. More specifically, the working group is defining proof
of possession tokens, developing a discovery mechanism,
providing guidance for the use of OAuth with native apps, re-introducing
the device flow used by devices with limited user interfaces, additional
security enhancements for clients communicating with multiple service
providers, definition of claims used with JSON Web Tokens, techniques to
mitigate open redirector attacks, as well as guidance on encoding state

For feedback and discussion about our specifications please
subscribe to our public mailing list.

For security related bug reports that relate to our specifications
please contact <<TBD>>. If the reported bug
report turns out to be implementation-specific we will
attempt to forward it to the appropriate developers.