Re: [oauth] OAUTH Charter Proposal
Joseph A Holsten <joseph@josephholsten.com> Mon, 02 February 2009 23:30 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D6E43A6B1B; Mon, 2 Feb 2009 15:30:34 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C04E43A67B5 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 15:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.611
X-Spam-Level:
X-Spam-Status: No, score=-1.611 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHPdotByxaVr for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 15:28:22 -0800 (PST)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by core3.amsl.com (Postfix) with ESMTP id 5A99528C11D for <oauth@ietf.org>; Mon, 2 Feb 2009 15:28:22 -0800 (PST)
Received: by nf-out-0910.google.com with SMTP id b11so266585nfh.39 for <oauth@ietf.org>; Mon, 02 Feb 2009 15:28:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:in-reply-to:references :mime-version:content-type:message-id:cc:content-transfer-encoding :from:subject:date:to:x-pgp-agent:x-mailer; bh=O/MFWHf0EbeYUz7WRDhw2Hx5tPRUJ7Tj2uOLuIyd/2E=; b=MFeKMvR6Mgq2PUv1iAaPw+0Zi1PjcmcjaX+nK7uRT603G8ul2oCz5gqiCp076KOyNn mbv+Jnwf6pfAp3jcCmp4k9ZLRES3ejWAMwQ8gh/amtCVGjYkLf1Yv+3qjwfgLWi6PsV0 YW508yiUuNPNlkYiPsh0kNRqyVhst07lXT31A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:in-reply-to:references:mime-version:content-type:message-id :cc:content-transfer-encoding:from:subject:date:to:x-pgp-agent :x-mailer; b=Ljf7w71FGQwKzqL2/PzvhIAZfWpSW/poSlnzqPT3JIZFWjH/Uvi4HK+GLfUdeT3zgK z0DuIn9VdGc9JzEV431Us5bkx84HrpeTpwCBBDNFpq7vo92qVu7CUNO00Raj4Csd/Xz5 7q5XmuTAVUN5174Xx4ENSlBO/t+/sxCniD2Vc=
Received: by 10.210.34.5 with SMTP id h5mr1972121ebh.161.1233617282224; Mon, 02 Feb 2009 15:28:02 -0800 (PST)
Received: from ?10.168.106.46? (ip68-0-70-106.tu.ok.cox.net [68.0.70.106]) by mx.google.com with ESMTPS id 7sm304800eyg.57.2009.02.02.15.28.00 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 02 Feb 2009 15:28:01 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234127C939A2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <3D3C75174CB95F42AD6BCC56E5555B45FFEE62@FIESEXC015.nsn-intra.net> <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com> <ca722a9e0902021044y3e305ed1rf5a568d20d8bcb35@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234127C939A2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <5AB18178-6A4B-4080-AB10-E7D6E933CFB1@josephholsten.com>
From: Joseph A Holsten <joseph@josephholsten.com>
Date: Mon, 02 Feb 2009 17:27:41 -0600
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Pgp-Agent: GPGMail 1.1.2 (Tiger)
X-Mailer: Apple Mail (2.753.1)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-2022-jp"; Format="flowed"; DelSp="yes"
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OAuth has two compontents. The authorization component is a very lightweight capabilities system which is mostly left up to the SP to define. It defines the requirements of the access token (capability) and how to access the resource. It does not currently provide the fine grained control that an authz protocol usually provides (see c- lists, acls). It doesn't need it, but is the right place for it if such control were necessary. The key is that this capability grants access to a resource, therefore it is authz. The other part is very similar to Kerberos ticket granting, which you might call token negotiation, brokered authentication, or delegation. This is about requesting the access token. It is completely optional, and may be left out (see thmbnl implementation), or replaced (see hybrid protocol). While this used to be a service provided by authentication protocols, clearly OAuth proves that ticket granting and authentication may be separate protocols. OAuth could become authn by stating what credentials could be sent directly to the Authorization endpoint. If this was defined, then OAuth would be functionally equivalent to a Kerberos TGS or WS-Trust STS. Normally these protocols do not necessarily grant access to any resource, clearly putting them outside the realm of authz. Since OAuth does grant access, it is unique among protocols. No I don't think they belong in separate specs, but it is useful to look at this in terms of traditional security protocols. But what matters is not so much the terms, as matters the formalization of the protocol. I suggest we create a mailing list oauth-authz-authn- flamewar to continue this discussion. http://josephholsten.com On Feb 2, 2009, at 12:49 PM, Eran Hammer-Lahav wrote: > Of course, even ‘delegation’ is a problematic term. HTTP Basic auth > is not considered a delegation protocol but it really is. The End > User gives the User Agent some credentials to access resources on > its behalf on the Web Server. There is no restriction in Basic auth > about the number of credentials used, so there could be a special > one to give the browser. > > > > Hmm. I guess that makes OAuth a ‘goddamn goddamn protocol’, if we > replace all the problematic words… of course that does not help us > at all. > > > > I would not waste too much time trying to find a one liner to > describe the protocol. And when in doubt, the Core 1.0 spec defines > a framework for us to work with, and can always be used to draw the > lines of what we are trying to solve. > > > > EHL > > > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth http://josephholsten.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkmHgW4ACgkQrPgSa0qMrmGmvQCfSgEOykkwMUmnfId1X8+K01AR FbcAni93Rq91mtuYCHlQBFiFwuOwJokz =6H9y -----END PGP SIGNATURE----- _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [oauth] OAUTH Charter Proposal James Aylett
- [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal kellan
- Re: [oauth] OAUTH Charter Proposal John Kemp
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Lisa Dusseault
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Hallam-Baker, Phillip
- Re: [oauth] OAUTH Charter Proposal Bill de hOra
- Re: [oauth] OAUTH Charter Proposal Joseph A Holsten
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig