IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

Joseph A Holsten <joseph@josephholsten.com> Mon, 02 February 2009 23:30 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D6E43A6B1B; Mon, 2 Feb 2009 15:30:34 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C04E43A67B5 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 15:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.611
X-Spam-Level:
X-Spam-Status: No, score=-1.611 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHPdotByxaVr for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 15:28:22 -0800 (PST)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by core3.amsl.com (Postfix) with ESMTP id 5A99528C11D for <oauth@ietf.org>; Mon, 2 Feb 2009 15:28:22 -0800 (PST)
Received: by nf-out-0910.google.com with SMTP id b11so266585nfh.39 for <oauth@ietf.org>; Mon, 02 Feb 2009 15:28:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:in-reply-to:references :mime-version:content-type:message-id:cc:content-transfer-encoding :from:subject:date:to:x-pgp-agent:x-mailer; bh=O/MFWHf0EbeYUz7WRDhw2Hx5tPRUJ7Tj2uOLuIyd/2E=; b=MFeKMvR6Mgq2PUv1iAaPw+0Zi1PjcmcjaX+nK7uRT603G8ul2oCz5gqiCp076KOyNn mbv+Jnwf6pfAp3jcCmp4k9ZLRES3ejWAMwQ8gh/amtCVGjYkLf1Yv+3qjwfgLWi6PsV0 YW508yiUuNPNlkYiPsh0kNRqyVhst07lXT31A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:in-reply-to:references:mime-version:content-type:message-id :cc:content-transfer-encoding:from:subject:date:to:x-pgp-agent :x-mailer; b=Ljf7w71FGQwKzqL2/PzvhIAZfWpSW/poSlnzqPT3JIZFWjH/Uvi4HK+GLfUdeT3zgK z0DuIn9VdGc9JzEV431Us5bkx84HrpeTpwCBBDNFpq7vo92qVu7CUNO00Raj4Csd/Xz5 7q5XmuTAVUN5174Xx4ENSlBO/t+/sxCniD2Vc=
Received: by 10.210.34.5 with SMTP id h5mr1972121ebh.161.1233617282224; Mon, 02 Feb 2009 15:28:02 -0800 (PST)
Received: from ?10.168.106.46? (ip68-0-70-106.tu.ok.cox.net [68.0.70.106]) by mx.google.com with ESMTPS id 7sm304800eyg.57.2009.02.02.15.28.00 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 02 Feb 2009 15:28:01 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234127C939A2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <3D3C75174CB95F42AD6BCC56E5555B45FFEE62@FIESEXC015.nsn-intra.net> <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com> <ca722a9e0902021044y3e305ed1rf5a568d20d8bcb35@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234127C939A2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <5AB18178-6A4B-4080-AB10-E7D6E933CFB1@josephholsten.com>
From: Joseph A Holsten <joseph@josephholsten.com>
Date: Mon, 02 Feb 2009 17:27:41 -0600
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Pgp-Agent: GPGMail 1.1.2 (Tiger)
X-Mailer: Apple Mail (2.753.1)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-2022-jp"; Format="flowed"; DelSp="yes"
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OAuth has two compontents. The authorization component is a very  
lightweight capabilities system which is mostly left up to the SP to  
define. It defines the requirements of the access token (capability)  
and how to access the resource. It does not currently provide the  
fine grained control that an authz protocol usually provides (see c- 
lists, acls). It doesn't need it, but is the right place for it if  
such control were necessary. The key is that this capability grants  
access to a resource, therefore it is authz.

The other part is very similar to Kerberos ticket granting, which you  
might call token negotiation, brokered authentication, or delegation.  
This is about requesting the access token. It is completely optional,  
and may be left out (see thmbnl implementation), or replaced (see  
hybrid protocol). While this used to be a service provided by  
authentication protocols, clearly OAuth proves that ticket granting  
and authentication may be separate protocols. OAuth could become  
authn by stating what credentials could be sent directly to the  
Authorization endpoint. If this was defined, then OAuth would be  
functionally equivalent to a Kerberos TGS or WS-Trust STS. Normally  
these protocols do not necessarily grant access to any resource,  
clearly putting them outside the realm of authz. Since OAuth does  
grant access, it is unique among protocols.

No I don't think they belong in separate specs, but it is useful to  
look at this in terms of traditional security protocols. But what  
matters is not so much the terms, as matters the formalization of the  
protocol. I suggest we create a mailing list oauth-authz-authn- 
flamewar to continue this discussion.

http://josephholsten.com

On Feb 2, 2009, at 12:49 PM, Eran Hammer-Lahav wrote:

> Of course, even ‘delegation’ is a problematic term. HTTP Basic auth  
> is not considered a delegation protocol but it really is. The End  
> User gives the User Agent some credentials to access resources on  
> its behalf on the Web Server. There is no restriction in Basic auth  
> about the number of credentials used, so there could be a special  
> one to give the browser.
>
>
>
> Hmm. I guess that makes OAuth a ‘goddamn goddamn protocol’, if we  
> replace all the problematic words… of course that does not help us  
> at all.
>
>
>
> I would not waste too much time trying to find a one liner to  
> describe the protocol. And when in doubt, the Core 1.0 spec defines  
> a framework for us to work with, and can always be used to draw the  
> lines of what we are trying to solve.
>
>
>
> EHL
>
>
>
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

http://josephholsten.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmHgW4ACgkQrPgSa0qMrmGmvQCfSgEOykkwMUmnfId1X8+K01AR
FbcAni93Rq91mtuYCHlQBFiFwuOwJokz
=6H9y
-----END PGP SIGNATURE-----
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email