IETF Logo Mail Archive

Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter

<Dorothy.Gellert@nokia.com> Tue, 17 February 2009 20:44 UTC

Return-Path: <Dorothy.Gellert@nokia.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EAC233A68CF for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 12:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6P1gngC5YTYK for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 12:44:07 -0800 (PST)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 9C6BC3A67A5 for <oauth@ietf.org>; Tue, 17 Feb 2009 12:44:06 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n1HKi4U5026133; Tue, 17 Feb 2009 22:44:10 +0200
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Feb 2009 22:43:14 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Feb 2009 22:43:09 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Tue, 17 Feb 2009 21:43:09 +0100
From: Dorothy.Gellert@nokia.com
To: stephen.farrell@cs.tcd.ie, Hannes.Tschofenig@gmx.net
Date: Tue, 17 Feb 2009 21:43:07 +0100
Thread-Topic: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
Thread-Index: AcmRGpgtNrUn/IH9T5uk5JjrmOw72AAJKJ+g
Message-ID: <26A704E322043948902DFFDD2CB493DB27E8CED2FE@NOK-EUMSG-01.mgdnok.nokia.com>
References: <009e01c99070$11d33100$0201a8c0@nsnintra.net> <499AE273.1010609@cs.tcd.ie>
In-Reply-To: <499AE273.1010609@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Feb 2009 20:43:09.0588 (UTC) FILETIME=[57ED6540:01C99140]
X-Nokia-AV: Clean
Cc: oauth@ietf.org
Subject: Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 20:44:08 -0000

I recall there was a lot of support in Minneapolis for extension targeted for devices as Stephen suggests.  I would support adding the text proposed by Stephen to the OAUTH charter:

"The WG will develop an oauth extension suited for use on challenged devices and by aggregators that allows for the client to directly acquire an access token from a set of credentials. One such scheme is defined in draft-dehora-farrell-oauth-accesstoken-creds"

I don't believe the last sentence precludes any other proposed drafts that meet this goal, if there are other approaches that may be developing in the WG.

Best Regards,
Dorothy


-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of ext Stephen Farrell
Sent: Tuesday, February 17, 2009 8:15 AM
To: Hannes Tschofenig
Cc: oauth@ietf.org
Subject: Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter



Hannes Tschofenig wrote:
> Stephen ask me how their document
> draft-dehora-farrell-oauth-accesstoken-creds-00.txt is reflected in
> the charter text.

Actually, I sent a mail to you and Blaine off list. I guess we should now discuss it on the list, now that you've gone ahead here instead of responding to the off list mail.

Also I didn't ask how "its reflected" I suggested a way to include it, which is quite different.

My suggestion is to add the following:

"The WG will develop an oauth extension suited for use on challenged devices and by aggregators that allows for the client to directly acquire an access token from a set of credentials. One such scheme is defined in draft-dehora-farrell-oauth-accesstoken-creds"

I'd still like to see that included and will certainly suggest it again in SF, as I did in MSP, and without anyone (that I recall) disagreeing with considering the use case.

> Independent of this particular document, I believe that we should
> focus our initial efforts on the Base OAUTH specification rather than
> working on extensions.

Agreed. I never asked that our use case be worked before the spec work is done and have no idea how you formed that impression.

> As such, I would say that (depending on the progress of the work with
> the main specification) we should discuss extensions in the summer
> timeframe.

I think its fair enough to mention the AFAIK only proposed extension that's documented as an I-D in the charter. I don't read your current charter proposal as encompassing our draft without rechartering.

> Regarding this specific extension: I read through
> draft-dehora-farrell-oauth-accesstoken-creds-00.txt and wanted to make
> sure that I understood the extension correctly. Here is a message flow
> that Jeff created some time ago. This document suggests to skip the
> message exchanges marked as (2.*). This means that the redirect from
> the Service Provider to the Customer and the subsequent steps of user
> authentication and authorization are replaced with the ability to
> carry some username/password in the Access token when the Consumer
> sends the request to the Service Provider.

Right.

> My personal view is that this goes a bit against the OAUTH idea.
> Unless the username/password is again created using some other
> mechanism (which the document does not describe) then there are
> vulnerability that OAUTH was initially meant to deal with.

That's sort-of correct, however the point is that its necessary to deploy OAuth for existing mobile devices and some aggregation use cases.

> Additionally, the result is less likely to be easy to deploy.

I think you're 100% wrong there...for the use cases we're considering. On what basis do you say that? Do you think that HTTP redirects on mobiles are just fine?

> As a justification for the work the following argument is provided:
> "HTTP redirection to a browser is unavailable or unsuitable, such as
> intermediary aggregators and mobile or settop devices." I wonder
> whether this is really a problem in today's mobile devices to justify this optimization.

You can wonder, but it is.

Stephen.

_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.43.4 | Report a Bug | By Email | System Status