Re: [OAUTH-WG] OAuth Recharting

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 22 December 2015 08:03 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51341A701D for <oauth@ietfa.amsl.com>; Tue, 22 Dec 2015 00:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.24
X-Spam-Level: *
X-Spam-Status: No, score=1.24 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubInSE7aN1mm for <oauth@ietfa.amsl.com>; Tue, 22 Dec 2015 00:03:54 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 467B11A7020 for <oauth@ietf.org>; Tue, 22 Dec 2015 00:03:53 -0800 (PST)
Received: from [192.168.10.142] ([80.92.114.181]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LgHvY-1aYZyn0LDw-00nfIN; Tue, 22 Dec 2015 09:03:45 +0100
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <5672DBE7.30101@gmx.net> <D29979AD.25D4E%kepeng.lkp@alibaba-inc.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <567903E4.3070501@gmx.net>
Date: Tue, 22 Dec 2015 09:03:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <D29979AD.25D4E%kepeng.lkp@alibaba-inc.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MrAMGgLp28FNVFf1Kt1j26T1LPCr3TRQF"
X-Provags-ID: V03:K0:r1GxnD0ToL8wBr9LKwbQaOg+fauJjoQF/o3fGw5UUsb0f41xlxU gmHMq6oNZXro7hIvd4GHznseh23j0cR1btcF4kQPh+CPo5m+0vsjYk9MWeNa3zNgy6x8aJU iTYxKCGi/3LXwjSsHDecE2DwYThPEU8sT3XMlUZ0zNQo5m2efN8UR54dgSLbPQj1ZYFtsuI TbNIxzZw0+t0awXXVeovQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:xGiXI0QAn94=:gc3VVRaGhoTUzm4iAH2GKu 9rFjh2XxADVhOX/tXmn/9a8DCd+9COrpV5n+2gZoFStHCJOIuuhoauufR7RHb/MSDLJbpo586 C2B7BfitpK6NLAylSyD06uSABKeILpGFpKToXhDujeQU59p+jzpDomvVlwGoZwyFjVOD5JHsZ SCc405iij50V4t4Pgw/eGtfkGm8fI5MRE2rcaYNeBIRLYYPbM8cNf3n1R2DDOGTF+7vDYTuUw 2eeOOEqmChhFTnyZZ3YXiaggDMaOV26T12TpaKNSv7U2QRRNJSw2cQ6/YCIczBOVnWwAvokwD /hgN5BmM4q+4A9z5tjp2eoPmaQXtzubOv8FdBaCQ8dd0nPbzBjQIN6D7qqBeGUfmCVye2HqUi Cwg8MO0HTUg0iBaGJ+AbVUvyvzPtGOmRDjlbeUUGt3EdzVYq8KXpDRipu0NoXBgC1AY1HQKxi PPNuiMDbpl/Ivpun/V0m7azHC0It1JOWRttnSClYCxsA3OjKBOGHOQm0JPLIA52kdb57EyBIM PFd/0o0VmfayIEQDTZuSLf0DXrgkr/ofXtaCCsKLW6Z8ZrxtzDdLeC0DpkOfqUmLf7/lPto+o ETljflRvXT8FVF7wqp7PuUyuGAAopi8A7Xayx0no31hoLRpKpOShR8CYcsomG0w3PNPLgxUrO IZBn1SSMEI1JvEIlZRMaQ1g0fr6RaE34V/aWiAP0EwidK75n8Yhd+p9Aeu5goJND2cwboM41D ggAuqqbBahCeMsQtyf5hyVnSJcxvPKMUMkHWd+fJz9WL0IUQAEvAhlepldc=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8Z-FV_lpJdFG46ItyNjAzHUGVm4>
Subject: Re: [OAUTH-WG] OAuth Recharting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 08:03:58 -0000

Hi Kepeng,

I intentionally kept the wording vague to have a bit of freedom when we
do the call for adoption of specific documents.

Having said that I will post a mail to the list to bring up a few
concerns regarding the scope of the PoP work that have been brought to
my attention.

Ciao
Hannes


On 12/18/2015 01:59 AM, Kepeng Li wrote:
> Hi Hannes,
> 
> Thanks for putting this together.
> 
>> and specifications that mitigate security attacks, such as Proof Key for
>> Code Exchange.
> 
> 
> I propose to change it to:
> 
> and specifications that mitigate security attacks, such as Proof Key for
> Code Exchange, and Sender Constraint JSON Web Token.
> 
> 
> Sender Constaint JWT is mentioned in PoP architecture document, but it is
> not 
> specified in detail. That is why we provided a separate draft for that.
> 
> 
> Thanks,
> 
> Kind Regards
> Kepeng
> 
> 在 17/12/15 11:59 pm, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> 写入:
> 
>> Hi all,
>>
>> at the last IETF meeting in Yokohama we had a rechartering discussion
>> and below is proposed text for the new charter. Please take a look at it
>> and tell me whether it appropriately covers the discussions from our
>> last meeting.
>>
>> ---------------
>>
>> Charter Text
>>
>> The Web Authorization (OAuth) protocol allows a user to grant a
>> third-party Web site or application access to the user's protected
>> resources, without necessarily revealing their long-term credentials,
>> or even their identity. For example, a photo-sharing site that
>> supports OAuth could allow its users to use a third-party printing Web
>> site to print their private pictures, without allowing the printing
>> site to gain full control of the user's account and without having the
>> user share his or her photo-sharing sites' long-term credential with
>> the printing site.
>>
>> The OAuth 2.0 protocol suite already includes
>>
>> * a procedure for enabling a client to register with an authorization
>> server,
>> * a protocol for obtaining authorization tokens from an authorization
>> server with the resource owner's consent, and
>> * protocols for presenting these authorization tokens to protected
>> resources for access to a resource.
>>
>> This protocol suite has been enhanced with functionality for
>> interworking with legacy identity infrastructure (e.g., SAML), token
>> revocation, token exchange, dynamic client registration, token
>> introspection, a standardized token format with the JSON Web Token, and
>> specifications that mitigate security attacks, such as Proof Key for
>> Code Exchange.
>>
>> The ongoing standardization efforts within the OAuth working group
>> focus on increasing interoperability of OAuth deployments and to
>> improve security. More specifically, the working group is defining proof
>> of possession tokens, developing a discovery mechanism,
>> providing guidance for the use of OAuth with native apps, re-introducing
>> the device flow used by devices with limited user interfaces, additional
>> security enhancements for clients communicating with multiple service
>> providers, definition of claims used with JSON Web Tokens, techniques to
>> mitigate open redirector attacks, as well as guidance on encoding state
>> information.
>>
>> For feedback and discussion about our specifications please
>> subscribe to our public mailing list.
>>
>> For security related bug reports that relate to our specifications
>> please contact <<TBD>>. If the reported bug
>> report turns out to be implementation-specific we will
>> attempt to forward it to the appropriate developers.
>>
>> ---------------
>>
>>
>> Ciao
>> Hannes
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
>