Re: [oauth] OAUTH Charter Proposal
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 02 February 2009 16:15 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73F1E3A6B99; Mon, 2 Feb 2009 08:15:41 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7AEB33A6B98 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 08:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.479
X-Spam-Level:
X-Spam-Status: No, score=-4.479 tagged_above=-999 required=5 tests=[AWL=-1.880, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utTZo1o5Rm6H for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 08:15:39 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 70B343A6B99 for <oauth@ietf.org>; Mon, 2 Feb 2009 08:15:37 -0800 (PST)
Received: (qmail 9590 invoked from network); 2 Feb 2009 16:15:18 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 2 Feb 2009 16:15:15 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 2 Feb 2009 09:15:15 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: George Fletcher <gffletch@aol.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Date: Mon, 02 Feb 2009 09:15:05 -0700
Thread-Topic: [oauth] OAUTH Charter Proposal
Thread-Index: AcmFPMnQ+u9fM6vaQ7OGPzxOJRDv7AAE+zSQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234127C939A08@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net> <4986F954.1090001@aol.com>
In-Reply-To: <4986F954.1090001@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
How is exchanging credentials equal to authentication? I would not want to use the term API in the charter. While this is the current use case, I view OAuth as part of the 2617 family, and can be used for any HTTP request. I do not think most people consider every HTTP request an API call. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of George Fletcher > Sent: Monday, February 02, 2009 5:47 AM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [oauth] OAUTH Charter Proposal > > Not wanting to start a huge debate... but within the OAuth community > we've made the distinction between Authentication and Authorization, > with OAuth being an API Authorization protocol and leaving > Authentication out of scope. > > Is this charter planning to tackle authentication as well as > authorization? The statement... > > OAuth consist of: > > * A mechanism for exchanging a user's credentials for a token- > secret pair > > > has me a little confused. I would word this as... > > * A mechanism that allows a user to authorize API access via a > token-secret pair > > Thanks, > George > > > Hannes Tschofenig wrote: > > Hi all, > > > > After a chat with Lisa I got in touch with Eran to slightly revise > the > > charter text that Sam and Mark put together for the last IETF > meeting. > > > > It should addresses some of the comments provided during the BOF. > Your > > feedback is welcome. > > > > Ciao > > Hannes > > > > ------------------------------------- > > > > Open Authentication Protocol (oauth) > > > > Last Modified: 2009-01-30 > > > > Chair(s): > > > > TBD > > > > Applications Area Director(s): > > > > Chris Newman <chris.newman@sun.com> > > Lisa Dusseault <lisa@osafoundation.org> > > > > Applications Area Advisor: > > > > TBD > > > > Mailing Lists: > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > Description of Working Group: > > > > OAuth allows a user to grant a third-party Web site or application > access to > > their resources, without revealing their credentials, or even their > > identity. For example, a photo-sharing site that supports OAuth would > allow > > its users to use a third-party printing Web site to access their > private > > pictures, without gaining full control of the user account. > > > > OAuth consist of: > > * A mechanism for exchanging a user's credentials for a token- > secret pair > > which can be used by a third party to access resources on their > behalf > > * A mechanism for signing HTTP requests with the token-secret pair > > > > The Working Group will produce one or more documents suitable for > > consideration as Proposed Standard, based upon the OAuth I-D, that > will: > > * Align OAuth with the Internet and Web architectures, best > practices and > > terminology > > * Assure good security practice, or document gaps in its > capabilities > > * Promote interoperability > > > > This specifically means that as a starting point for the working > group the > > OAuth 1.0 specification is used and the > > available extension points are going to be utilized. It seems > desireable to > > profile OAuth 1.0 in a way that produces a specification that is a > backwards > > compatible profile, i.e. any OAUTH 1.0 and the specification produced > by > > this group must support a basic set of features to guarantee > > interoperability. > > > > Furthermore, Oauth 1.0 defines three signature methods used to > protect > > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will > work on > > new signature methods in case the existing mechanisms do not fulfill > the > > security requirements. Existing signature methods will not be > modified but > > may be dropped as part of the backwards compatible profiling > activity. > > > > In doing so, it should consider: > > * Implementer experience > > * Existing uses of OAuth > > * Ability to achieve broad impementation > > * Ability to address broader use cases than may be contemplated by > the > > original authors > > * Impact on the Internet and Web > > > > The Working Group is not tasked with defining a generally applicable > HTTP > > Authentication mechanism (i.e., browser-based "2-leg" scenerio), and > should > > consider this work out of scope in its discussions. However, if the > > deliverables are able to be factored in such a way that this is a > byproduct, > > or such a scenario could be addressed by additional future work, the > Working > > Group may choose to do so. > > > > After delivering OAuth, the Working Group MAY consider defining > additional > > functions and/or extensions, for example > > (but not limited to): > > * Discovery of authentication configuration > > * Message integrity > > * Recommendations regarding the structure of the token > > > > Goals and Milestones: > > > > 12/2009 Submit document(s) suitable for publication as standards- > track > > RFCs. > > > > _______________________________________________ > > oauth mailing list > > oauth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [oauth] OAUTH Charter Proposal James Aylett
- [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal kellan
- Re: [oauth] OAUTH Charter Proposal John Kemp
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Lisa Dusseault
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Hallam-Baker, Phillip
- Re: [oauth] OAUTH Charter Proposal Bill de hOra
- Re: [oauth] OAUTH Charter Proposal Joseph A Holsten
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig