IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

Hubert Le Van Gong <hubertlvg@gmail.com> Mon, 02 February 2009 15:14 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8BC13A6A0C; Mon, 2 Feb 2009 07:14:42 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 718403A693C for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 07:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWNj9TzWb8cN for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 07:14:35 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id 6FE5B3A65A5 for <oauth@ietf.org>; Mon, 2 Feb 2009 07:14:35 -0800 (PST)
Received: by qyk4 with SMTP id 4so1940024qyk.13 for <oauth@ietf.org>; Mon, 02 Feb 2009 07:14:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=P1MsBvV8FPDdy9745kFAsuV7yuzfd4+uqEyUra2HNpE=; b=LsuKRuro2hAoq97NbEGqR9I+8rsWJngaMthZ3Gts2iee2wF+f/q0hXSuh4wkGsM+d1 0I5NiRc/Jc40Mn4lO7f8IgODs0QSwOx+lXewDap0qtS8uKWhRHUv+aWZz7QDL1Js1MbV vm8S4vr/ikttjF3tBAwV8fL/Zg3CUqVlFnGIQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=RxP1bCQTqdDH7N6Qw6nTO7goEDQmnxspnzFdApBCxuzDMspeEpb2GjnrpHT46C2Wiy UDFUTCG5qY6XlrNW/opiUGOLgw+NR22P3vo3EyhNu12ltOyLDn1rIEJtDmZU5A9irYcU cJlnywuRcJXxZgq31msdPIpwFqeJ3LDlRKUjw=
MIME-Version: 1.0
Received: by 10.214.216.2 with SMTP id o2mr6320892qag.385.1233587647625; Mon, 02 Feb 2009 07:14:07 -0800 (PST)
In-Reply-To: <006401c98545$a41f6b90$e846a20a@nsnintra.net>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net> <6c0fd2bc0902020624s221cfc34x7af1de770d34d4ee@mail.gmail.com> <006401c98545$a41f6b90$e846a20a@nsnintra.net>
Date: Mon, 02 Feb 2009 16:14:07 +0100
Message-ID: <6c0fd2bc0902020714v30130802t2090f8d737953010@mail.gmail.com>
From: Hubert Le Van Gong <hubertlvg@gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

Hi Hannes,

Thanks for the clarification; I understand what was meant.
I would note however that this paragraph mixes 2 distinct
issues: backward compatibility and interoperability.
We want to promote both but not necessarily at the
expense of one of them (and security as well).
For instance, it is recommended that at least one security
algorithm is made mandatory. If we mandate backward
compatibility then that algorithm can only be one of the
algorithms already defined in OAuth 1.0 which, as noted
in older email threads, is not a good idea.
IMHO ensuring interoperability & good security of the
to-be IETF spec is, in fine, paramount to ensuring
100% backward compatibility (of course a solution
could be to mandate at least 2 security algos, one from
the 1.0 spec and another more future-proof).

These considerations may not need to appear in
the charter but I think it is important to be as clear
as possible on the intent of the charter.

Cheers,
Hubert



>>"It seems desireable to profile OAuth 1.0 in a way that
>>produces a specification that is a backwards compatible
>>profile, i.e. any OAUTH 1.0 and the specification produced by
>>this group must support a basic set of features to guarantee
>>interoperability."
>>
>>- Profiling usually means to constrain further an existing
>>specification.
>>  This seems to contradict the part of the charter that talks of
>>  supporting broader use cases beyond the original scope...?
>>  What did you mean there?
>
> When multiple options are provided then indicating which onces are mandatory
> to implement is something that I call profiling. When the profiled version
> is run against Oauth 1.0 it would still interoperate (in some sense; if that
> particular Oauth 1.0 implementation had implemented all options). You
> mention this aspect of improving interoperability in your next paragraph
> below as well.
>
> The sentence about "Ability to address broader use cases than may be
> contemplated by the original authors" can be more seen as a "we leave room
> for extensions that offer additional use cases" phrase.
>
>>- I would argue that there is no guaranteed interoperability in the
>>  current OAuth 1.0 spec. We need to address this. The security report
>>  Sam (Hartman) created highlights a few things that should
>>  be done:
>>  (1) mandatory-to-implement algorithm(s) for security
>>  (2) interoperable way to find the lifetime of a request or
>>      access-token
>>  (3) description of how a service uses OAuth
>
> These things sound good to me. I guess you don't want to list them in the
> charter itself, right?
>
> Ciao
> Hannes
>
>>
>>I had the same comment as George just sent on AuthZ vs. AuthN
>>
>>Cheers,
>>Hubert
>>
>>
>>
>>On Fri, Jan 30, 2009 at 6:55 PM, Hannes Tschofenig
>><Hannes.Tschofenig@gmx.net> wrote:
>>> Hi all,
>>>
>>> After a chat with Lisa I got in touch with Eran to slightly
>>revise the
>>> charter text that Sam and Mark put together for the last
>>IETF meeting.
>>>
>>> It should addresses some of the comments provided during the
>>BOF. Your
>>> feedback is welcome.
>>>
>>> Ciao
>>> Hannes
>>>
>>> -------------------------------------
>>>
>>> Open Authentication Protocol (oauth)
>>>
>>> Last Modified: 2009-01-30
>>>
>>> Chair(s):
>>>
>>> TBD
>>>
>>> Applications Area Director(s):
>>>
>>> Chris Newman <chris.newman@sun.com>
>>> Lisa Dusseault <lisa@osafoundation.org>
>>>
>>> Applications Area Advisor:
>>>
>>> TBD
>>>
>>> Mailing Lists:
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> Description of Working Group:
>>>
>>> OAuth allows a user to grant a third-party Web site or application
>>> access to their resources, without revealing their credentials, or
>>> even their identity. For example, a photo-sharing site that supports
>>> OAuth would allow its users to use a third-party printing
>>Web site to
>>> access their private pictures, without gaining full control
>>of the user account.
>>>
>>> OAuth consist of:
>>>  * A mechanism for exchanging a user's credentials for a
>>token-secret
>>> pair which can be used by a third party to access resources on their
>>> behalf
>>>  * A mechanism for signing HTTP requests with the token-secret pair
>>>
>>> The Working Group will produce one or more documents suitable for
>>> consideration as Proposed Standard, based upon the OAuth
>>I-D, that will:
>>>  * Align OAuth with the Internet and Web architectures, best
>>practices
>>> and terminology
>>>  * Assure good security practice, or document gaps in its
>>capabilities
>>>  * Promote interoperability
>>>
>>> This specifically means that as a starting point for the
>>working group
>>> the OAuth 1.0 specification is used and the available
>>extension points
>>> are going to be utilized. It seems desireable to profile
>>OAuth 1.0 in
>>> a way that produces a specification that is a backwards compatible
>>> profile, i.e. any OAUTH 1.0 and the specification produced by this
>>> group must support a basic set of features to guarantee
>>> interoperability.
>>>
>>> Furthermore, Oauth 1.0 defines three signature methods used
>>to protect
>>> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will
>>> work on new signature methods in case the existing mechanisms do not
>>> fulfill the security requirements. Existing signature
>>methods will not
>>> be modified but may be dropped as part of the backwards
>>compatible profiling activity.
>>>
>>> In doing so, it should consider:
>>>  * Implementer experience
>>>  * Existing uses of OAuth
>>>  * Ability to achieve broad impementation
>>>  * Ability to address broader use cases than may be contemplated by
>>> the original authors
>>>  * Impact on the Internet and Web
>>>
>>> The Working Group is not tasked with defining a generally applicable
>>> HTTP Authentication mechanism (i.e., browser-based "2-leg"
>>scenerio),
>>> and should consider this work out of scope in its discussions.
>>> However, if the deliverables are able to be factored in such a way
>>> that this is a byproduct, or such a scenario could be addressed by
>>> additional future work, the Working Group may choose to do so.
>>>
>>> After delivering OAuth, the Working Group MAY consider defining
>>> additional functions and/or extensions, for example (but not limited
>>> to):
>>>  * Discovery of authentication configuration
>>>  * Message integrity
>>>  * Recommendations regarding the structure of the token
>>>
>>> Goals and Milestones:
>>>
>>> 12/2009     Submit document(s) suitable for publication as
>>standards-track
>>> RFCs.
>>>
>>> _______________________________________________
>>> oauth mailing list
>>> oauth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>
>
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email