IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 02 February 2009 17:01 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9B1C3A6BB9; Mon, 2 Feb 2009 09:01:50 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 067DE3A6BB9 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 09:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.436
X-Spam-Level:
X-Spam-Status: No, score=-4.436 tagged_above=-999 required=5 tests=[AWL=-1.837, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dyThh3gmAKuO for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 09:01:49 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 2CBC83A6973 for <oauth@ietf.org>; Mon, 2 Feb 2009 09:01:49 -0800 (PST)
Received: (qmail 20624 invoked from network); 2 Feb 2009 17:01:30 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 2 Feb 2009 17:01:30 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 2 Feb 2009 10:01:29 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Blaine Cook <romeda@gmail.com>
Date: Mon, 02 Feb 2009 10:01:19 -0700
Thread-Topic: [oauth] OAUTH Charter Proposal
Thread-Index: AcmFVUHsc7cPFW4aTomFcNYNSksrKAAAaycg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234127C939A14@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net> <4986F954.1090001@aol.com> <90C41DD21FB7C64BB94121FBBC2E7234127C939A08@P3PW5EX1MB01.EX1.SECURESERVER.NET> <d37b4b430902020842j444cc187j7e332f0badffea47@mail.gmail.com>
In-Reply-To: <d37b4b430902020842j444cc187j7e332f0badffea47@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

Of course you are authenticating the credentials, but the spec does not tell you how to do it. Following this logic, every spec in the world with dependency on authentication will fall under this category...

OAuth says "go get yourself authenticated and come back with something useful". The method in which the user authenticate against the Service Provider is completely out of scope. But obviously OAuth includes authentication in other areas such as authenticating tokens and potentially the identity of the Consumer and Service Provider (see Sam's review).

This continues debate regarding authz/n is silly. OAuth currently does not specify how to authenticate the end user. But it might (not likely in core) in the future, for example, if it supports structured tokens with self signing capabilities (the user can produce tokens and hand them over to the Consumer without SP involvement, but the ability to authenticate them). In this case the user technically authenticate itself via a certificate and the verification is delegated on from the Consumer to the Service Provider.

We need to separate the marketing from the technical architecture.

EHL


> -----Original Message-----
> From: Blaine Cook [mailto:romeda@gmail.com]
> Sent: Monday, February 02, 2009 8:43 AM
> To: Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: Re: [oauth] OAUTH Charter Proposal
>
> On Mon, Feb 2, 2009 at 4:15 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
> > How is exchanging credentials equal to authentication?
>
> By exchanging the credentials in a verifiable way (i.e., with secrets
> & signing), you're authenticating the consumer as acting on behalf of
> the user. If we weren't trying to do *authenticated* requests, then
> there wouldn't be any point in hiding (or having) secrets.
>
> > I would not want to use the term API in the charter. While this is
> the current use case, I view OAuth as part of the 2617 family, and can
> be used for any HTTP request. I do not think most people consider every
> HTTP request an API call.
>
> +1 - perhaps the more general "Interface" makes sense? I think OAuth
> is actually a bit more general than 2617, in that it's possible to use
> it across transport protocols (though in general we should be
> targeting HTTP first).
>
> b.
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email