Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Anthony Nadalin <tonynad@microsoft.com> Thu, 15 May 2014 07:12 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111001A020F for <oauth@ietfa.amsl.com>; Thu, 15 May 2014 00:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vb7eBUji9nHg for <oauth@ietfa.amsl.com>; Thu, 15 May 2014 00:12:51 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07B0B1A01F3 for <oauth@ietf.org>; Thu, 15 May 2014 00:12:50 -0700 (PDT)
Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB310.namprd03.prod.outlook.com (10.141.48.25) with Microsoft SMTP Server (TLS) id 15.0.949.11; Thu, 15 May 2014 07:12:42 +0000
Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0949.001; Thu, 15 May 2014 07:12:42 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] OAuth Milestone Update and Rechartering
Thread-Index: AQHPawEbu8OzlywPcU+RkLqz+fSkNptACOgAgABdhACAAN2OYA==
Date: Thu, 15 May 2014 07:12:41 +0000
Message-ID: <abfbbdc896ee4464b3f6453823fb3755@BLUPR03MB309.namprd03.prod.outlook.com>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <60BC637A-FD8D-4C92-A94C-93F89E868CB9@ve7jtb.com>
In-Reply-To: <60BC637A-FD8D-4C92-A94C-93F89E868CB9@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [86.110.65.1]
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(428001)(53754006)(377454003)(24454002)(189002)(199002)(19617315010)(76482001)(86612001)(86362001)(19618635001)(77982001)(92566001)(83072002)(85852003)(33646001)(99396002)(101416001)(16236675002)(99286001)(19625215002)(74316001)(81342001)(46102001)(81542001)(74502001)(2656002)(74662001)(87936001)(31966008)(19580405001)(19580395003)(19300405004)(19273905006)(79102001)(64706001)(4396001)(80022001)(76576001)(54356999)(15198665003)(18206015023)(66066001)(50986999)(15975445006)(83322001)(15395725003)(77096999)(76176999)(19609705001)(21056001)(15202345003)(20776003)(42262001)(9984715005)(24736002)(19621445023); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB310; H:BLUPR03MB309.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
Content-Type: multipart/alternative; boundary="_000_abfbbdc896ee4464b3f6453823fb3755BLUPR03MB309namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/64glGE9YHU44To6OpOzjXMMpXh0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2014 07:12:55 -0000

Where is the confusion ?

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, May 14, 2014 10:59 AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

I know a number of people implementing


http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03

Having it on a RFC track may make sense.

I remain to be convinced that a4c ads anything other than confusion.

If the WG wants to take it up it should be aligned with Connect.  I think there are more important things to spend time on.


Sent from my iPhone

On May 14, 2014, at 2:24 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
I would object to 'OAuth Authentication' being picked up by the WG as a work item. The starting point draft has expired and it hasn't really been discusses since Berlin nearly a year ago.  As I recall, there was only very limited interest in it even then. I also don't believe it fits well with the WG charter.

I would suggest the WG consider picking up 'OAuth Symmetric Proof of Possession for Code Extension' for which there is an excellent starting point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a relativity simple security enhancement which addresses problems currently being encountered in deployments of native clients.


On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:
Hi all,

you might have seen that we pushed the assertion documents and the JWT
documents to the IESG today. We have also updated the milestones on the
OAuth WG page.

This means that we can plan to pick up new work in the group.
We have sent a request to Kathleen to change the milestone for the OAuth
security mechanisms to use the proof-of-possession terminology.

We also expect an updated version of the dynamic client registration
spec incorporating last call feedback within about 2 weeks.

We would like you to think about adding the following milestones to the
charter as part of the re-chartering effort:

-----

Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
Proposed Standard
Starting point: <draft-richer-oauth-introspection-04>

Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
a Proposed Standard
Starting point: <draft-hunt-oauth-v2-user-a4c-01>

Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
Proposed Standard
Starting point: <draft-jones-oauth-token-exchange-00>

-----

We also updated the charter text to reflect the current situation. Here
is the proposed text:

-----

Charter for Working Group


The Web Authorization (OAuth) protocol allows a user to grant a
third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing Web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth 2.0 protocol suite encompasses

* a protocol for obtaining access tokens from an authorization
server with the resource owner's consent,
* protocols for presenting these access tokens to resource server
for access to a protected resource,
* guidance for securely using OAuth 2.0,
* the ability to revoke access tokens,
* standardized format for security tokens encoded in a JSON format
  (JSON Web Token, JWT),
* ways of using assertions with OAuth, and
* a dynamic client registration protocol.

The working group also developed security schemes for presenting
authorization tokens to access a protected resource. This led to the
publication of the bearer token, as well as work that remains to be
completed on proof-of-possession and token exchange.

The ongoing standardization effort within the OAuth working group will
focus on enhancing interoperability and functionality of OAuth
deployments, such as a standard for a token introspection service and
standards for additional security of OAuth requests.

-----

Feedback appreciated.

Ciao
Hannes & Derek



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
[Ping Identity logo]<https://www.pingidentity.com/>

Brian Campbell
Portfolio Architect
@

bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>

[phone]

+1 720.317.2061

Connect with us…

[twitter logo]<https://twitter.com/pingidentity>[youtube logo]<https://www.youtube.com/user/PingIdentityTV>[LinkedIn logo]<https://www.linkedin.com/company/21870>[Facebook logo]<https://www.facebook.com/pingidentitypage>[Google+ logo]<https://plus.google.com/u/0/114266977739397708540>[slideshare logo]<http://www.slideshare.net/PingIdentity>[flipboard logo]<http://flip.it/vjBF7>[rss feed icon]<https://www.pingidentity.com/blogs/>


[Register for Cloud Identity Summit 2014 | Modern Identity Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth