IETF Logo Mail Archive

[OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 21 September 2009 20:39 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0AA2D3A699F for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 13:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.55
X-Spam-Level:
X-Spam-Status: No, score=-4.55 tagged_above=-999 required=5 tests=[AWL=-1.951, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IioQHQBFYOi6 for <oauth@core3.amsl.com>; Mon, 21 Sep 2009 13:39:02 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 387F83A682D for <oauth@ietf.org>; Mon, 21 Sep 2009 13:39:02 -0700 (PDT)
Received: (qmail 20606 invoked from network); 21 Sep 2009 20:40:04 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 21 Sep 2009 20:40:02 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 21 Sep 2009 13:37:47 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 21 Sep 2009 13:40:30 -0700
Thread-Topic: Request for feedback: OAuth IETF Drafts (Due 10/2)
Thread-Index: Aco6+8J49gQ/lkwjS2GdWTAgSxxUjQ==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343784D58457@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2009 20:39:03 -0000

http://tools.ietf.org/html/draft-ietf-oauth-authentication
http://tools.ietf.org/html/draft-ietf-oauth-web-delegation

I plan to publish new revisions of the above drafts to include:

* Error codes and optional debug information
* Cleanup of the authentication extensibility model
* Change the version / protocol extensibility model

In addition to general feedback about the drafts, I am looking for specific feedback on the following items which I plan to address in the next drafts:

* Drop core support for the RSA-SHA1 method
* Replace HMAC-SHA1 with HMAC-SHA256
* Define the authentication parameters as method-specific (for example, drop nonce and timestamp from PLAINTEXT)
* The proposed Problem Reporting extension [1], its richness and complexity
* Making the HMAC signature method required for all server implementations
* Changing the delegation flow to require HTTP POST instead of recommending it
* Mandating server support for all three parameter transmission methods
* Adding a token revocation endpoint
* Adding the ability for servers to declare their configuration (methods, etc.) in the WWW-Authenticate header response
* The value of the client credentials (Consumer Key) and feedback from actual implementation experience

In order for your feedback to be included or considered for the next revisions it must be received by 10/2 on the oauth@ietf.org list.

EHL

[1] http://wiki.oauth.net/ProblemReporting

v2.23.0 | Report a Bug | By Email