IETF Logo Mail Archive

Re: [oauth] Another Charter Text Update

Aaron Stone <aaron@serendipity.cx> Mon, 23 February 2009 18:55 UTC

Return-Path: <aaron@serendipity.cx>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65EAD3A695C for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 10:55:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okOCrySEZo8S for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 10:55:24 -0800 (PST)
Received: from mail.serendipity.cx (serendipity.palo-alto.ca.us [66.92.2.87]) by core3.amsl.com (Postfix) with ESMTP id 354293A68B2 for <oauth@ietf.org>; Mon, 23 Feb 2009 10:55:24 -0800 (PST)
Received: from serendipity.cx (unknown [10.10.10.34]) by mail.serendipity.cx (Postfix) with ESMTP id C55862936; Mon, 23 Feb 2009 11:02:09 -0800 (PST)
MIME-Version: 1.0
Date: Mon, 23 Feb 2009 11:01:07 -0800
From: Aaron Stone <aaron@serendipity.cx>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B450112E54B@FIESEXC015.nsn-intra.net>
References: <3D3C75174CB95F42AD6BCC56E5555B450112E54B@FIESEXC015.nsn-intra.net>
Message-ID: <8311c4a72e55e6e7b5961ca8e1f89ba4@serendipity.cx>
X-Sender: aaron@serendipity.cx
User-Agent: RoundCube Webmail/0.2
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Cc: oauth@ietf.org
Subject: Re: [oauth] Another Charter Text Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2009 18:55:25 -0000

Looks good to me!

On Mon, 23 Feb 2009 15:10:46 +0200, "Tschofenig, Hannes (NSN - FI/Espoo)"
<hannes.tschofenig@nsn.com> wrote:
> Only a few more days to provide your comments on the charter text!
> The deadline is February 27th.
>  
> -----------------------------------------------------------------
> 
> Open Authentication Protocol (oauth)
> 
> Last Modified: 2009-02-23
> 
> Chair(s):
> 
> TBD
> 
> Applications Area Director(s):
> 
> Chris Newman <chris.newman@sun.com>
> Lisa Dusseault <lisa@osafoundation.org> 
> 
> Applications Area Advisor:
> 
> TBD
> 
> Mailing Lists:
> 
> https://www.ietf.org/mailman/listinfo/oauth
> 
> Description of Working Group:
> 
> OAuth allows a user to grant a third-party Web site or application
> access to their resources, without necessarily revealing their
> credentials, or  even their identity. For example, a photo-sharing site
> that supports OAuth would allow its users to use a third-party printing
> Web site to access  their private pictures, without gaining full control
> of the user account.
> 
> OAuth consists of:
>   * A mechanism for exchanging a user's credentials for a token-secret
> pair which can be used by a third party to access resources on their
> behalf.
>   * A mechanism for signing HTTP requests with the token-secret pair.
> 
> The Working Group will produce one or more documents suitable for
> consideration as Proposed Standard, based upon
> draft-hammer-oauth-00.txt, that  will:
>   * Improve the terminology used.
>   * Embody good security practice, or document gaps in its capabilities,
> and propose a path forward for addressing the gap.
>   * Promote interoperability.
>   * Provide guidelines for extensibility.
> 
> This specifically means that as a starting point for the working group
> OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available
> extension  points are going to be utilized. The WG will profile OAuth
> 1.0 in a way that produces a specification that is a backwards
> compatible profile,  i.e. any OAuth 1.0 and the specification produced
> by this group must support a basic set of features to guarantee
> interoperability. 
> 
> Furthermore, OAuth 1.0 defines three signature methods used to protect
> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work
> on new signature methods and will describe the environments where new
> security requirements justify their usage. Existing signature methods
> will not be modified but may be dropped as part of the backwards
> compatible profiling activity. The applicability of existing and new
> signature methods to protocols other than HTTP will be investigated.
> 
> The Working Group should consider:
>   * Implementer experience.
>   * The end-user experience, including internationalization
>   * Existing uses of OAuth.
>   * Ability to achieve broad impementation.
>   * Ability to address broader use cases than may be contemplated by the
> original authors.
> 
> The Working Group is not tasked with defining a generally applicable
> HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio),
> and  should consider this work out of scope in its discussions. However,
> if the deliverables are able to be factored in such a way that this is a
> byproduct, or such a scenario could be addressed by additional future
> work, the Working Group may choose to do so.
> 
> After delivering OAuth, the Working Group may consider defining
> additional functions and/or extensions, for example (but not limited
> to):
>  * Discovery of OAuth configuration. e.g.,
> http://oauth.net/discovery/1.0.
>  * Comprehensive message integrity e.g.,
> http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.htm
> l.
>  * Recommendations regarding the structure of the token.
>  * Localization e.g.,
> http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/
> 2/spec.html.
>  * Session-oriented tokens e.g.,
> http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html.
>  * Alternate token exchange profiles e.g.,
> draft-dehora-farrell-oauth-accesstoken-creds-00.
> 
> 
> Goals and Milestones:
> 
> Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
> working group item
>             (draft-hammer-oauth will be used as a starting point for
> further work.)
> Jul 2009    Start of discussion about OAuth extensions the group should
> work on
> Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
> Delegation Protocol'
> Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to
> the IESG for consideration as a Proposed Standard 
> Nov 2009    Prepare milestone update to start new work within the scope
> of the charter
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email