Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 743063A6BE0 for ; Fri, 6 Feb 2009 11:04:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.872 X-Spam-Level: X-Spam-Status: No, score=-2.872 tagged_above=-999 required=5 tests=[AWL=-0.274, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQSBV93D0AUE for ; Fri, 6 Feb 2009 11:04:43 -0800 (PST) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.239]) by core3.amsl.com (Postfix) with ESMTP id 901AF3A6BDE for ; Fri, 6 Feb 2009 11:04:43 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id b25so875773rvf.49 for ; Fri, 06 Feb 2009 11:04:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type; bh=wvYfB77uk7O40BXC6QhPE+GhPd/YVBAYaj2GPgz7kCc=; b=W5B+PpoomCyzJqI1CoM4wb3mTzTbsRkP5aO5D6lqpe/WjP6e2Bnf/XNYuNVsUX7GUc VVNa0tNoGLbIVug/EAV0mx1uVNGgW7TaUUdYU+BPPIc98jwUo+zaRWrSzvReZgtjduJk Fr9PryMPTG8RAAoFA0J4r8jP38NaW+Q+EYlqs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=tMsMPUkEB0i71kpWnHwYVrXDpyYgy/JuvZwe2DBSnxVqjIeoe0OX2B6a0R6R47wQgH qTUb8VGcAChDjHB/I1fdg82U4SCd6ok+TkIrR8EzbD1cMKYac/NStHwi5NhtkwT1sW8+ Pfr6mjELnwrGYBJFjwjqHStJ749c2NGaHQeTs= MIME-Version: 1.0 Received: by 10.140.186.20 with SMTP id j20mr1502147rvf.272.1233947085328; Fri, 06 Feb 2009 11:04:45 -0800 (PST) Date: Fri, 6 Feb 2009 11:04:45 -0800 Message-ID: From: Lisa Dusseault To: oauth@ietf.org Content-Type: multipart/alternative; boundary=000e0cd14e7cb15301046244b11e Cc: gregory.ietf@gmail.com Subject: [oauth] Comment on charter X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 19:04:44 -0000 --000e0cd14e7cb15301046244b11e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Here's a comment on the charter, Greg told me this in person but I asked him to follow up on the list. He's not on the list, so please keep him on the cc' for this discussion: Oauth team, I think the work you are doing is meaningful and I hope to see it transition to WG soon. Here is a comment to your charter that I made from the mic at the last BoF, and which I hope to see included in the next version of the charter. >From the charter: "The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon the OAuth I-D, that will: * Align OAuth with the Internet and Web architectures, best practices and terminology * Assure good security practice, or document gaps in its capabilities * Promote interoperability" Change second bullet to: "* Assure good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap." The reason: we have experienced in other places in IETF where documents with less-than-perfect security get hung up in Security Area review, and for good reason. We want secure protocols that use modern, best-practice secruity mechanisms. However, sometimes getting from today to that state of best-practice security mechanism is non-trivial, and will take standard and implementation work. We are learning over time that (1) documenting security gaps, combined with (2) a clear path to addressing gaps, and (3) work in progress to addressing gaps goes a long way to making less-than-best-security-practice specifications more acceptable. I.e. The charter change I propose is geared toward helping Oauth see the light of day more quickly, and have an incremental path toward best-practice security. Let me know what you think, Gregorry. --000e0cd14e7cb15301046244b11e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Here's a comment on the charter, Greg told me this in person but I aske= d him to follow up on the list.  He's not on the list, so please k= eep him on the cc' for this discussion:

Oauth team,
I think the work you are doing is meaningful and I hope to see it transition to WG soon.

Here is a comment to your charter that I made from the mic at the last BoF, and which I hope to see included in the next version of the charter.

From the charter:

"The Working Group will produce one or more = documents suitable
for
consideration as Proposed Standard, based upon= the OAuth I-D, that will:
  * Align OAuth with the Internet and We= b architectures, best
practices and
terminology
  * Assure good security practice, or = document gaps in its
capabilities
  * Promote interoperability&q= uot;

Change second bullet to:
"* Assure good security practi= ce, or document gaps in its
capabilities, and propose a path forward for addressing the gap."
<= br>The reason:  we have experienced in other places in IETF where
d= ocuments with less-than-perfect security get hung up in Security Area
re= view, and for good reason. We want secure protocols that use modern,
best-practice secruity mechanisms. However, sometimes getting from todayto that state of best-practice security mechanism is non-trivial, and
w= ill take standard and implementation work. We are learning over time
that (1) documenting security gaps, combined with (2) a clear path to
ad= dressing gaps, and (3) work in progress to addressing gaps goes a long
w= ay to making less-than-best-security-practice specifications more
accept= able.

I.e. The charter change I propose is geared toward helping Oauth see th= e
light of day more quickly, and have an incremental path toward
best= -practice security.

Let me know what you think,
Gregorry.



--000e0cd14e7cb15301046244b11e--