Re: [oauth] Another Charter Text Update
Aaron Stone <aaron@serendipity.cx> Mon, 23 February 2009 18:55 UTC
Return-Path: <aaron@serendipity.cx>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65EAD3A695C for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 10:55:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okOCrySEZo8S for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 10:55:24 -0800 (PST)
Received: from mail.serendipity.cx (serendipity.palo-alto.ca.us [66.92.2.87]) by core3.amsl.com (Postfix) with ESMTP id 354293A68B2 for <oauth@ietf.org>; Mon, 23 Feb 2009 10:55:24 -0800 (PST)
Received: from serendipity.cx (unknown [10.10.10.34]) by mail.serendipity.cx (Postfix) with ESMTP id C55862936; Mon, 23 Feb 2009 11:02:09 -0800 (PST)
MIME-Version: 1.0
Date: Mon, 23 Feb 2009 11:01:07 -0800
From: Aaron Stone <aaron@serendipity.cx>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B450112E54B@FIESEXC015.nsn-intra.net>
References: <3D3C75174CB95F42AD6BCC56E5555B450112E54B@FIESEXC015.nsn-intra.net>
Message-ID: <8311c4a72e55e6e7b5961ca8e1f89ba4@serendipity.cx>
X-Sender: aaron@serendipity.cx
User-Agent: RoundCube Webmail/0.2
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Cc: oauth@ietf.org
Subject: Re: [oauth] Another Charter Text Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2009 18:55:25 -0000
Looks good to me! On Mon, 23 Feb 2009 15:10:46 +0200, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote: > Only a few more days to provide your comments on the charter text! > The deadline is February 27th. > > ----------------------------------------------------------------- > > Open Authentication Protocol (oauth) > > Last Modified: 2009-02-23 > > Chair(s): > > TBD > > Applications Area Director(s): > > Chris Newman <chris.newman@sun.com> > Lisa Dusseault <lisa@osafoundation.org> > > Applications Area Advisor: > > TBD > > Mailing Lists: > > https://www.ietf.org/mailman/listinfo/oauth > > Description of Working Group: > > OAuth allows a user to grant a third-party Web site or application > access to their resources, without necessarily revealing their > credentials, or even their identity. For example, a photo-sharing site > that supports OAuth would allow its users to use a third-party printing > Web site to access their private pictures, without gaining full control > of the user account. > > OAuth consists of: > * A mechanism for exchanging a user's credentials for a token-secret > pair which can be used by a third party to access resources on their > behalf. > * A mechanism for signing HTTP requests with the token-secret pair. > > The Working Group will produce one or more documents suitable for > consideration as Proposed Standard, based upon > draft-hammer-oauth-00.txt, that will: > * Improve the terminology used. > * Embody good security practice, or document gaps in its capabilities, > and propose a path forward for addressing the gap. > * Promote interoperability. > * Provide guidelines for extensibility. > > This specifically means that as a starting point for the working group > OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available > extension points are going to be utilized. The WG will profile OAuth > 1.0 in a way that produces a specification that is a backwards > compatible profile, i.e. any OAuth 1.0 and the specification produced > by this group must support a basic set of features to guarantee > interoperability. > > Furthermore, OAuth 1.0 defines three signature methods used to protect > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work > on new signature methods and will describe the environments where new > security requirements justify their usage. Existing signature methods > will not be modified but may be dropped as part of the backwards > compatible profiling activity. The applicability of existing and new > signature methods to protocols other than HTTP will be investigated. > > The Working Group should consider: > * Implementer experience. > * The end-user experience, including internationalization > * Existing uses of OAuth. > * Ability to achieve broad impementation. > * Ability to address broader use cases than may be contemplated by the > original authors. > > The Working Group is not tasked with defining a generally applicable > HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio), > and should consider this work out of scope in its discussions. However, > if the deliverables are able to be factored in such a way that this is a > byproduct, or such a scenario could be addressed by additional future > work, the Working Group may choose to do so. > > After delivering OAuth, the Working Group may consider defining > additional functions and/or extensions, for example (but not limited > to): > * Discovery of OAuth configuration. e.g., > http://oauth.net/discovery/1.0. > * Comprehensive message integrity e.g., > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.htm > l. > * Recommendations regarding the structure of the token. > * Localization e.g., > http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/ > 2/spec.html. > * Session-oriented tokens e.g., > http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > * Alternate token exchange profiles e.g., > draft-dehora-farrell-oauth-accesstoken-creds-00. > > > Goals and Milestones: > > Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as > working group item > (draft-hammer-oauth will be used as a starting point for > further work.) > Jul 2009 Start of discussion about OAuth extensions the group should > work on > Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization > Delegation Protocol' > Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to > the IESG for consideration as a Proposed Standard > Nov 2009 Prepare milestone update to start new work within the scope > of the charter > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [oauth] Another Charter Text Update Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Another Charter Text Update Stephen Farrell
- Re: [oauth] Another Charter Text Update Aaron Stone
- Re: [oauth] Another Charter Text Update Hannes Tschofenig
- Re: [oauth] Another Charter Text Update Ben Ramsey