[OAUTH-WG] OAuth WG Rechartering

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 02 May 2012 17:01 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACD921F8512 for <oauth@ietfa.amsl.com>; Wed, 2 May 2012 10:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyHWbHS76LHw for <oauth@ietfa.amsl.com>; Wed, 2 May 2012 10:01:55 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 1C8E021F84FF for <oauth@ietf.org>; Wed, 2 May 2012 10:01:54 -0700 (PDT)
Received: (qmail invoked by alias); 02 May 2012 17:01:53 -0000
Received: from unknown (EHLO [10.2.4.113]) [64.9.249.121] by mail.gmx.net (mp033) with SMTP; 02 May 2012 19:01:53 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/eP2YlFMfeAx5rH5elIAKrn9ZUKpNMmpvveMww9K fEU0wlqPjugVtU
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Wed, 2 May 2012 20:01:33 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <5385BFFC-A6B4-471E-8DD8-FA2CD4506A9C@gmx.net>
To: ext The IESG <iesg-secretary@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
X-Mailman-Approved-At: Wed, 02 May 2012 10:20:42 -0700
Cc: "derek@ihtfp.com Atkins" <derek@ihtfp.com>
Subject: [OAUTH-WG] OAuth WG Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 17:01:57 -0000

Hi Stephen, Hi IESG secretary, 

Derek and myself would like to submit the updated OAuth charter to the IESG. 
Please find it below. 

Ciao
Hannes

------

Web Authorization Protocol (oauth)

Description of Working Group

The Web Authorization (OAuth) protocol allows a user to grant
a third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that supports
OAuth could allow its users to use a third-party printing Web site to
print their private pictures, without allowing the printing site to
gain full control of the user's account and without having the user 
sharing his or her photo-sharing sites' long-term credential with the 
printing site. 

The OAuth protocol suite encompasses
* a procedure for allowing a client to discover a resource server, 
* a protocol for obtaining authorization tokens from an authorization 
server with the resource owner's consent, 
* protocols for presenting these authorization tokens to protected 
resources for access to a resource, and 
* consequently for sharing data in a security and privacy respective way.

In April 2010 the OAuth 1.0 specification, documenting pre-IETF work,
was published as an informational document (RFC 5849). With the 
completion of OAuth 1.0 the working group started their work on OAuth 2.0
to incorporate implementation experience with version 1.0, additional
use cases, and various other security, readability, and interoperability
improvements. An extensive security analysis was conducted and the result 
is available as a stand-alone document offering guidance for audiences 
beyond the community of protocol implementers.

The working group also developed security schemes for presenting authorization
tokens to access a protected resource. This led to the publication of
the bearer token as well as the message authentication code (MAC) access 
authentication specification. 

OAuth 2.0 added the ability to trade a SAML assertion against an OAUTH token with 
the SAML 2.0 bearer assertion profile.  This offers interworking with existing 
identity management solutions, in particular SAML based deployments.

OAuth has enjoyed widespread adoption by the Internet application service provider 
community. To build on this success we aim for nothing more than to make OAuth the 
authorization framework of choice for any Internet protocol. Consequently, the 
ongoing standardization effort within the OAuth working group is focused on 
enhancing interoperability of OAuth deployments. While the core OAuth specification 
truly is an important building block it relies on other specifications in order to 
claim completeness. Luckily, these components already exist and have been deployed 
on the Internet. Through the IETF standards process they will be improved in 
quality and will undergo a rigorous review process. 

Goals and Milestones

Done  Submit 'OAuth 2.0 Threat Model and Security Considerations' as a working group item
Done  Submit 'HTTP Authentication: MAC Authentication' as a working group item
Done  Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for consideration as a Proposed Standard
Done  Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for consideration as a Proposed Standard

May  2012  Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard
May  2012  Submit 'OAuth 2.0 Assertion Profile' to the IESG for consideration as a Proposed Standard 
May  2012  Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for consideration as a Proposed Standard 
May  2012  Submit 'OAuth 2.0 Threat Model and Security Considerations' to the IESG for consideration as an Informational RFC
Dec. 2012  Submit 'HTTP Authentication: MAC Authentication' to the IESG for consideration as a Proposed Standard

Aug. 2012  Submit 'Token Revocation' to the IESG for consideration as a Proposed Standard
[Starting point for the work will be http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/]

Nov. 2012  Submit 'JSON Web Token (JWT)' to the IESG for consideration as a Proposed Standard
[Starting point for the work will be http://tools.ietf.org/html/draft-jones-json-web-token]

Nov. 2012  Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard
[Starting point for the work will be http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer]

Dec. 2012  Submit 'OAuth Use Cases' to the IESG for consideration as an Informational RFC
[Starting point for the work will be http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases] 

Jul. 2013  Submit 'OAuth Dynamic Client Registration Protocol' to the IESG for consideration as a Proposed Standard
[Starting point for the work will be http://tools.ietf.org/html/draft-hardjono-oauth-dynreg]