IETF Logo Mail Archive

[oauth] OAuth Charter Finalized

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Sun, 01 March 2009 13:12 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1585228C63E for <oauth@core3.amsl.com>; Sun, 1 Mar 2009 05:12:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Level:
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WcdpDbM7+ZwH for <oauth@core3.amsl.com>; Sun, 1 Mar 2009 05:12:26 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 4ED9C2936F7 for <oauth@ietf.org>; Sun, 1 Mar 2009 05:04:14 -0800 (PST)
Received: (qmail invoked by alias); 01 Mar 2009 13:04:38 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp031) with SMTP; 01 Mar 2009 14:04:38 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+xa4BOfSWxU1ciH0n9RfZ9UPbdKX4Mm16r3xRyXS cpT0jN2FJNZ6mH
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Alexey Melnikov' <alexey.melnikov@isode.com>, 'Lisa Dusseault' <Lisa.Dusseault@messagingarchitects.com>, chris.newman@sun.com, 'Blaine Cook' <romeda@gmail.com>
Date: Sun, 01 Mar 2009 15:05:38 +0200
Message-ID: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-index: AcmaUjBZB740AJoySkWfX2bPgi8SuQ==
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.53
Cc: oauth@ietf.org
Subject: [oauth] OAuth Charter Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2009 13:12:28 -0000

Hi Lisa, Alexey, Chris, 

We have concluded our OAuth charter discussion on the mailing list.  The
charter text can be found below. 

Ciao
Hannes & Blaine

-----------------------

Open Authentication Protocol (oauth)

Last Modified: 2009-03-1

Chair(s):

TBD

Applications Area Director(s):

Chris Newman <chris.newman@sun.com>
Lisa Dusseault <lisa@osafoundation.org> 

Applications Area Advisor:

TBD

Mailing Lists:

https://www.ietf.org/mailman/listinfo/oauth

Description of Working Group:

OAuth allows a user to grant a third-party Web site or application access to
their resources, without necessarily revealing their credentials, or  even
their identity. For example, a photo-sharing site that  supports OAuth would
allow its users to use a third-party printing Web site to access  their
private pictures, without gaining full control of the user account.

OAuth consists of:
  * A mechanism for exchanging a user's credentials for a token-secret pair
which can be used by a third party to access resources on their behalf.
  * A mechanism for signing HTTP requests with the token-secret pair.

The Working Group will produce one or more documents suitable for
consideration as Proposed Standard, based upon draft-hammer-oauth-00.txt,
that  will:
  * Improve the terminology used.
  * Embody good security practice, or document gaps in its capabilities, and
propose a path forward for addressing the gap.
  * Promote interoperability.
  * Provide guidelines for extensibility.

This specifically means that as a starting point for the working group OAuth
1.0 (draft-hammer-oauth-00.txt) is used and the available extension  points
are going to be utilized. The WG will profile OAuth  1.0 in a way that
produces a specification that is a backwards compatible profile,  i.e. any
OAuth 1.0 and the specification produced by this group must support a basic
set of features to guarantee  interoperability. 

Furthermore, OAuth 1.0 defines three signature methods used to protect
requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on
new signature methods and will describe the environments  where new security
requirements justify their usage. Existing signature methods will not be
modified but may be dropped as part of the backwards compatible profiling
activity. The applicability of existing  and new signature methods to
protocols other than HTTP will be investigated.

The Working Group should consider:
  * Implementer experience.
  * The end-user experience, including internationalization.
  * Existing uses of OAuth.
  * Ability to achieve broad implementation.
  * Ability to address broader use cases than may be contemplated by the
original authors.

The Working Group is not tasked with defining a generally applicable HTTP
Authentication mechanism (i.e., browser-based "2-leg" scenerio), and  should
consider this work out of scope in its discussions.  However, if the
deliverables are able to be factored in such a way that this is a
byproduct, or such a scenario could be addressed by additional future work,
the Working Group may choose to do so.

After delivering OAuth, the Working Group may consider defining additional
functions and/or extensions, for example (but not limited
to):
 * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0.
 * Comprehensive message integrity, e.g.,
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html.
 * Recommendations regarding the structure of the token.
 * Localization, e.g.,
http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp
ec.html.
 * Session-oriented tokens, e.g.,
http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html.
 * Alternate token exchange profiles, e.g.,
draft-dehora-farrell-oauth-accesstoken-creds-00.


Goals and Milestones:

Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
working group item
            (draft-hammer-oauth will be used as a starting point for further
work.)
Jul 2009    Start of discussion about OAuth extensions the group should work
on
Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
Delegation Protocol'
Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to the
IESG for consideration as a Proposed Standard 
Nov 2009    Prepare milestone update to start new work within the scope of
the charter

v2.23.0 | Report a Bug | By Email