Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 February 2009 23:36 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2318828C17F for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SFeUUfgLviW for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:36:50 -0800 (PST)
Received: from relay.imagine.ie (dns1.dns.imagine.ie [87.232.1.40]) by core3.amsl.com (Postfix) with ESMTP id 8A60F3A6A8A for <oauth@ietf.org>; Tue, 17 Feb 2009 15:36:49 -0800 (PST)
Received: from mail1.int.imagine.ie (mail1 [87.232.1.152]) by relay.imagine.ie (Postfix) with ESMTP id 9689A3220B; Tue, 17 Feb 2009 23:36:59 +0000 (GMT)
Received: from [10.87.48.9] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by mail1.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id n1HNasRk009015 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Feb 2009 23:36:55 GMT
Message-ID: <499B4AC8.8070009@cs.tcd.ie>
Date: Tue, 17 Feb 2009 23:39:52 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <26A704E322043948902DFFDD2CB493DB27E8CED2FE@NOK-EUMSG-01.mgdnok.nokia.com> <C5C066FB.12B6A%eran@hueniverse.com> <004601c99147$d612c670$0201a8c0@nsnintra.net>
In-Reply-To: <004601c99147$d612c670$0201a8c0@nsnintra.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0)
X-Canit-Stats-ID: 37399557 - 543ec378124d (trained as not-spam)
X-CanItPRO-Stream: outgoing
X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.52
Cc: Dorothy.Gellert@nokia.com, oauth@ietf.org
Subject: Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 23:36:51 -0000
Hannes Tschofenig wrote: > I understand why Stephen asks for getting text about his extension added. I > can imagine that someone else comes up with their favorite extension, > simililarly as you listed in your mail. Right. This being the IETF, taking the trouble to write an I-D, boilerplate and all, counts, As does code. But one without the other is less good than having both. > In some sense it would be fair to add text about the other examples added as > well, if someone cares. Yes, folks writing drafts is a good idea. By all means include mention of topics with I-Ds. > I wonder what other folks in the group think about this topic? You can guess from the above - gate the list (for now) based on who's written up their stuff as an I-D. Doesn't preclude additions later but does require some work before getting on the list in the charter. Stephen. > > Ciao > Hannes > > > > ________________________________ > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > Behalf Of Eran Hammer-Lahav > Sent: 17 February, 2009 23:07 > To: Dorothy.Gellert@nokia.com; stephen.farrell@cs.tcd.ie; > Hannes.Tschofenig@gmx.net > Cc: oauth@ietf.org > Subject: Re: [oauth] > draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in > the Charter > > > I don't understand why we need to add this. > > There is nothing to stop people from proposing and developing such > ideas. So far we have little implementation experience with much of these > suggestions. The fact is, everyone here is correctly referring to these > ideas as *extensions*. The purpose of this working group is to figure out > the 'core' framework. Error handling is crucial to interop. > Internationalization is important when dealing with user interfaces which > OAuth does even in its core components. These make sense to *consider*. > > But why go and single out one extension just because it has an I-D? > I could have stood up at the BoF and listed at least 10 other extensions > with wide interest. Yahoo cares a lot about its Session extension. Google > cares a lot about a few OpenSocial extensions related to gadgets. We have > known limitations with the use of OAuth consumer credentials in desktop > applications. Many people asked for a standard way of consumer registration. > Discovery has been a big topic for the past year and a half. The choice of > signature method hash functions have been an issue in the past due to lack > to support for some on limited devices. The list goes on and on. > > OAuth Core represents a compromise that allowed a wide range of use > cases to agree on something that provided a good foundation and was based on > implementation experience. For the most part this WG must have the narrow > focus of taking draft-hammer-oauth and bringing it to IETF proposed standard > level. That means focusing on security and interop. Anything else should > come later. > > EHL > > > On 2/17/09 12:43 PM, "Dorothy.Gellert@nokia.com" > <Dorothy.Gellert@nokia.com> wrote: > > > > > > I recall there was a lot of support in Minneapolis for > extension targeted for devices as Stephen suggests. I would support adding > the text proposed by Stephen to the OAUTH charter: > > "The WG will develop an oauth extension suited for use on > challenged devices and by aggregators that allows for the client to directly > acquire an access token from a set of credentials. One such scheme is > defined in draft-dehora-farrell-oauth-accesstoken-creds" > > I don't believe the last sentence precludes any other > proposed drafts that meet this goal, if there are other approaches that may > be developing in the WG. > > Best Regards, > Dorothy > > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] > On Behalf Of ext Stephen Farrell > Sent: Tuesday, February 17, 2009 8:15 AM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [oauth] > draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in > the Charter > > > > Hannes Tschofenig wrote: > > Stephen ask me how their document > > draft-dehora-farrell-oauth-accesstoken-creds-00.txt is > reflected in > > the charter text. > > Actually, I sent a mail to you and Blaine off list. I guess > we should now discuss it on the list, now that you've gone ahead here > instead of responding to the off list mail. > > Also I didn't ask how "its reflected" I suggested a way to > include it, which is quite different. > > My suggestion is to add the following: > > "The WG will develop an oauth extension suited for use on > challenged devices and by aggregators that allows for the client to directly > acquire an access token from a set of credentials. One such scheme is > defined in draft-dehora-farrell-oauth-accesstoken-creds" > > I'd still like to see that included and will certainly > suggest it again in SF, as I did in MSP, and without anyone (that I recall) > disagreeing with considering the use case. > > > Independent of this particular document, I believe that we > should > > focus our initial efforts on the Base OAUTH specification > rather than > > working on extensions. > > Agreed. I never asked that our use case be worked before the > spec work is done and have no idea how you formed that impression. > > > As such, I would say that (depending on the progress of > the work with > > the main specification) we should discuss extensions in > the summer > > timeframe. > > I think its fair enough to mention the AFAIK only proposed > extension that's documented as an I-D in the charter. I don't read your > current charter proposal as encompassing our draft without rechartering. > > > Regarding this specific extension: I read through > > draft-dehora-farrell-oauth-accesstoken-creds-00.txt and > wanted to make > > sure that I understood the extension correctly. Here is a > message flow > > that Jeff created some time ago. This document suggests to > skip the > > message exchanges marked as (2.*). This means that the > redirect from > > the Service Provider to the Customer and the subsequent > steps of user > > authentication and authorization are replaced with the > ability to > > carry some username/password in the Access token when the > Consumer > > sends the request to the Service Provider. > > Right. > > > My personal view is that this goes a bit against the OAUTH > idea. > > Unless the username/password is again created using some > other > > mechanism (which the document does not describe) then > there are > > vulnerability that OAUTH was initially meant to deal with. > > That's sort-of correct, however the point is that its > necessary to deploy OAuth for existing mobile devices and some aggregation > use cases. > > > Additionally, the result is less likely to be easy to > deploy. > > I think you're 100% wrong there...for the use cases we're > considering. On what basis do you say that? Do you think that HTTP redirects > on mobiles are just fine? > > > As a justification for the work the following argument is > provided: > > "HTTP redirection to a browser is unavailable or > unsuitable, such as > > intermediary aggregators and mobile or settop devices." I > wonder > > whether this is really a problem in today's mobile devices > to justify this optimization. > > You can wonder, but it is. > > Stephen. > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > >
- [oauth] draft-dehora-farrell-oauth-accesstoken-cr… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Dorothy.Gellert
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell