Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 10 May 2012 00:45 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9274221F847D for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 17:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbnScwJtn2+F for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 17:45:11 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 29B8521F847C for <oauth@ietf.org>; Wed, 9 May 2012 17:45:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id EC89D171536; Thu, 10 May 2012 01:45:09 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1336610709; bh=sdo3B1FO37X6nT pLB0CFMX80uiyGiAWgygJnqWPRsvw=; b=kHYj1IAxGlw68qvN2Na7HaXXtpde5z KyL9iYhEP8n3eh0vSvYRYB3XzC5vAyIfNALQ1j7vmSNw44yzKgADItgmEq1ja5hf FgL2hkP8qS5EQ9kS+9oh8BGRNhtDMgKH5JSmcEjstmd3LLnU/ZBAv33RjU7KKgwU V9W9a+QVtbAQeegA5dxrxdXzcVJfbwu8GiWtxhxbHuhLEtn/P0lsGhDzAlXoR5aX uC00IFC0K/Xslwuf0u/Pr5dwn2g9xH/eJYgNUQtaySrQfC9RK9PdgZnFLhZV9rWi PLoJt1BdR0J1ewlVc8MTEhxpxwrqA6yDrRQda8GnipbGcsEPNAZK6BRg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id j2deZqNPUfGk; Thu, 10 May 2012 01:45:09 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.46.20.248]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 5C761171512; Thu, 10 May 2012 01:45:07 +0100 (IST)
Message-ID: <4FAB0F93.4070003@cs.tcd.ie>
Date: Thu, 10 May 2012 01:45:07 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <20120503181339.17651.84259.idtracker@ietfa.amsl.com> <CALaySJKLytyKdS=AUpa5wgRNBe96sHgZ1n0kGnO8fWyU4p-=vQ@mail.gmail.com> <4FAA7EB6.6050604@cs.tcd.ie> <4E1F6AAD24975D4BA5B1680429673943664CDA55@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943664CDA55@TK5EX14MBXC283.redmond.corp.microsoft.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 00:45:12 -0000
Hi Mike, On 05/09/2012 06:41 PM, Mike Jones wrote: > Looks pretty good to me. I might consider adding a sentence in the paragraph that motivates the new work items (that starts with "The ongoing standardization effort") to motivate the JWT work items. For instance "Having a standard JSON-based assertion format and a profile for using it with OAuth will both improve interoperability among selected OAuth deployments and facilitate deployments." (All the other new work items are already motivated in that paragraph.) > I'm not sufficiently familiar with the current state of play to include "JSON-based" so I've left that out. > Typo: Change "a authorization" to "an authorization". Ta, S. > > -- Mike > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell > Sent: Wednesday, May 09, 2012 7:27 AM > To: oauth-chairs@tools.ietf.org > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth) > > > Hi, > > There's been a bit of IESG comment on the proposed new charter resulting in a few editorial changes. So just in case, the text below is what I'd like to propose for approval on Thursday. > > Let me know if there's anything substantively wrong here, in which case, we'll probably want to re-spin the text and I'll put it back for consideration on the following IESG meeting (another two weeks). > > Thanks, > Stephen. > >> ------------------------------------------ >> Web Authorization Protocol (oauth) >> ------------------------------------------ >> Current Status: Active >> Last updated: 2012-05-03 >> >> Chairs: >> Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Derek Atkins >> <derek@ihtfp.com> >> >> Security Area Directors: >> Stephen Farrell <stephen.farrell@cs.tcd.ie> Sean Turner >> <turners@ieca.com> >> >> Security Area Advisor: >> Stephen Farrell <stephen.farrell@cs.tcd.ie> >> >> Technical Advisor: >> Peter Saint-Andre <stpeter@stpeter.im> >> >> Mailing Lists: >> Address: oauth@ietf.org >> To Subscribe: https://www.ietf.org/mailman/listinfo/oauth >> Archive: http://www.ietf.org/mail-archive/web/oauth/ >> >> Description of Working Group: >> >> The Web Authorization (OAuth) protocol allows a user to grant a >> third-party Web site or application access to the user's protected >> resources, without necessarily revealing their long-term credentials, >> or even their identity. For example, a photo-sharing site that >> supports OAuth could allow its users to use a third-party printing Web >> site to print their private pictures, without allowing the printing >> site to gain full control of the user's account and without having the >> user sharing his or her photo-sharing sites' long-term credential with >> the printing site. >> >> The OAuth protocol suite encompasses >> * a procedure for allowing a client to discover a authorization >> server, >> * a protocol for obtaining authorization tokens from an authorization >> server with the resource owner's consent, >> * protocols for presenting these authorization tokens to protected >> resources for access to a resource, and >> * consequently for sharing data in a security and privacy respective way. >> >> The working group also developed security schemes for presenting >> authorization tokens to access a protected resource. This led to the >> publication of the bearer token, as well as work that remains to be >> completed on message authentication code (MAC) access authentication >> and SAML assertions to interwork with existing identity management >> solutions. The working group will complete those remaining documents, >> and will also complete documentation of the OAuth threat model that >> was started under the previous charter. >> >> The ongoing standardization effort within the OAuth working group will >> focus on enhancing interoperability of OAuth deployments. A standard >> for a token revocation service, which can be separated from the >> existing web tokens to the token repertoire will enable wider >> deployment of OAuth. Extended documentation of OAuth use cases will >> enhance the understanding of the OAuth framework and provide >> assistance to implementors. And dynamic client registration will make >> it easier to broadly deploy OAuth clients (performing services to users). >> >> Goals and Milestones >> >> Done Submit 'OAuth 2.0 Threat Model and Security Considerations' as a >> working group item >> Done Submit 'HTTP Authentication: MAC Authentication' as a working >> group item >> Done Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for >> consideration as a Proposed Standard Done Submit 'The OAuth 2.0 >> Authorization Protocol' to the IESG for >> consideration as a Proposed Standard >> >> May 2012 Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to >> the IESG for consideration as a Proposed Standard May 2012 >> Submit 'OAuth 2.0 Assertion Profile' to the IESG for >> consideration as a Proposed Standard May 2012 Submit 'An >> IETF URN Sub-Namespace for OAuth' to the IESG for >> consideration as a Proposed Standard May 2012 Submit 'OAuth >> 2.0 Threat Model and Security Considerations' >> to the IESG for consideration as an Informational RFC Dec. >> 2012 Submit 'HTTP Authentication: MAC Authentication' to the IESG >> for consideration as a Proposed Standard >> >> Aug. 2012 Submit 'Token Revocation' to the IESG for consideration as a >> Proposed Standard >> [Starting point for the work will be >> http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/] >> >> Nov. 2012 Submit 'JSON Web Token (JWT)' to the IESG for consideration >> as a Proposed Standard >> [Starting point for the work will be >> http://tools.ietf.org/html/draft-jones-json-web-token] >> >> Nov. 2012 Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth >> 2.0' to the IESG for consideration as a Proposed Standard >> [Starting point for the work will be >> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer] >> >> Dec. 2012 Submit 'OAuth Use Cases' to the IESG for consideration as an >> Informational RFC >> [Starting point for the work will be >> http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases] >> >> Jul. 2013 Submit 'OAuth Dynamic Client Registration Protocol' to the >> IESG for consideration as a Proposed Standard [Starting point >> for the work will be >> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg] >> ------------------------------------------ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Stephen Farrell
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Mike Jones
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Stephen Farrell