[oauth] Comment on charter
Lisa Dusseault <lisa.dusseault@gmail.com> Fri, 06 February 2009 19:04 UTC
Return-Path: <lisa.dusseault@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 743063A6BE0 for <oauth@core3.amsl.com>; Fri, 6 Feb 2009 11:04:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.872
X-Spam-Level:
X-Spam-Status: No, score=-2.872 tagged_above=-999 required=5 tests=[AWL=-0.274, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQSBV93D0AUE for <oauth@core3.amsl.com>; Fri, 6 Feb 2009 11:04:43 -0800 (PST)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.239]) by core3.amsl.com (Postfix) with ESMTP id 901AF3A6BDE for <oauth@ietf.org>; Fri, 6 Feb 2009 11:04:43 -0800 (PST)
Received: by rv-out-0506.google.com with SMTP id b25so875773rvf.49 for <oauth@ietf.org>; Fri, 06 Feb 2009 11:04:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type; bh=wvYfB77uk7O40BXC6QhPE+GhPd/YVBAYaj2GPgz7kCc=; b=W5B+PpoomCyzJqI1CoM4wb3mTzTbsRkP5aO5D6lqpe/WjP6e2Bnf/XNYuNVsUX7GUc VVNa0tNoGLbIVug/EAV0mx1uVNGgW7TaUUdYU+BPPIc98jwUo+zaRWrSzvReZgtjduJk Fr9PryMPTG8RAAoFA0J4r8jP38NaW+Q+EYlqs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=tMsMPUkEB0i71kpWnHwYVrXDpyYgy/JuvZwe2DBSnxVqjIeoe0OX2B6a0R6R47wQgH qTUb8VGcAChDjHB/I1fdg82U4SCd6ok+TkIrR8EzbD1cMKYac/NStHwi5NhtkwT1sW8+ Pfr6mjELnwrGYBJFjwjqHStJ749c2NGaHQeTs=
MIME-Version: 1.0
Received: by 10.140.186.20 with SMTP id j20mr1502147rvf.272.1233947085328; Fri, 06 Feb 2009 11:04:45 -0800 (PST)
Date: Fri, 06 Feb 2009 11:04:45 -0800
Message-ID: <ca722a9e0902061104l3314073bvc6f3e27863e8779d@mail.gmail.com>
From: Lisa Dusseault <lisa.dusseault@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000e0cd14e7cb15301046244b11e"
Cc: gregory.ietf@gmail.com
Subject: [oauth] Comment on charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 19:04:44 -0000
Here's a comment on the charter, Greg told me this in person but I asked him to follow up on the list. He's not on the list, so please keep him on the cc' for this discussion: Oauth team, I think the work you are doing is meaningful and I hope to see it transition to WG soon. Here is a comment to your charter that I made from the mic at the last BoF, and which I hope to see included in the next version of the charter. >From the charter: "The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon the OAuth I-D, that will: * Align OAuth with the Internet and Web architectures, best practices and terminology * Assure good security practice, or document gaps in its capabilities * Promote interoperability" Change second bullet to: "* Assure good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap." The reason: we have experienced in other places in IETF where documents with less-than-perfect security get hung up in Security Area review, and for good reason. We want secure protocols that use modern, best-practice secruity mechanisms. However, sometimes getting from today to that state of best-practice security mechanism is non-trivial, and will take standard and implementation work. We are learning over time that (1) documenting security gaps, combined with (2) a clear path to addressing gaps, and (3) work in progress to addressing gaps goes a long way to making less-than-best-security-practice specifications more acceptable. I.e. The charter change I propose is geared toward helping Oauth see the light of day more quickly, and have an incremental path toward best-practice security. Let me know what you think, Gregorry.
- Re: [oauth] Comment on charter Tschofenig, Hannes (NSN - FI/Espoo)
- [oauth] Comment on charter Lisa Dusseault
- Re: [oauth] Comment on charter Blaine Cook