Re: [OAUTH-WG] OAuth in the news again....

Phil Hunt <phil.hunt@oracle.com> Mon, 01 December 2014 18:34 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E10341A6F14 for <oauth@ietfa.amsl.com>; Mon, 1 Dec 2014 10:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.611
X-Spam-Level:
X-Spam-Status: No, score=-3.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jI7725LdU--l for <oauth@ietfa.amsl.com>; Mon, 1 Dec 2014 10:34:09 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC141A6F11 for <oauth@ietf.org>; Mon, 1 Dec 2014 10:34:08 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sB1IY3jf009689 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 1 Dec 2014 18:34:04 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB1IY2SH001880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 1 Dec 2014 18:34:03 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB1IY23s002691; Mon, 1 Dec 2014 18:34:02 GMT
Received: from [192.168.1.133] (/24.87.24.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 01 Dec 2014 10:34:02 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CAHbuEH6A6KFaUmXncvWn7s+8QQf0dspaFsKx4ii47caM1+GcPw@mail.gmail.com>
Date: Mon, 01 Dec 2014 10:33:59 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <3791F71C-238C-4413-B3EF-04314565DC44@oracle.com>
References: <547C9669.3060802@gmx.net> <CAHbuEH6A6KFaUmXncvWn7s+8QQf0dspaFsKx4ii47caM1+GcPw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.1993)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ICSbPuJihoGwr80Ht8po0R9rAeU
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth in the news again....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 18:34:12 -0000

One thing to think about is that often people are talking in different ways about the same thing. E.g. in the article, people are talking about authentication as a service, where as in the IETF we talk about authentication as a protocol.

Mike, Tony, and I ran into this when we named the draft “User Authentication for Clients”.  What we recognized was that at a protocol level, OAuth is being used to pass session information to a client. UA4C doesn’t do authentication but passes parameters and session information.  When we talked about UA4C in the OAuth WG we got caught up (wrongly) in whether OAuth WG even has a mandate that includes authentication. Yet, “authentication service” is all over OAuth (directly and indirectly - e.g. client authentication vs user authen). Developers use OAuth as a service because it depends on authentication of all parties (Users, clients, and service providers, and endpoints).

Yet, in naming the draft we had to address the idea that what client developers want is access to a User authentication “service” which is how they view OAuth.

The difference between authentication as a “service” vs. “protocol” is subtle but seems important.  I’m not sure if this is the thread that can explain the difference to the common IETF contributor and developer communities — otherwise, I’d be all over it.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

> On Dec 1, 2014, at 8:42 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Hi Hannes,
> 
> When something is written up and agreed upon, I'd recommend that we
> tweet about it in force to get the writeup some attention in an effort
> to help prevent this in the future.  I could blog about it in the IESG
> blogs too if helpful.
> 
> On Mon, Dec 1, 2014 at 11:25 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net> wrote:
>> Hi all,
>> 
>> I fear we have to write another article to clarify what OAuth does and
>> what it does not do based on the misinformation spread with this recent
>> article:
>> http://www.techopedia.com/definition/26694/oauth
>> 
>> A quote from that article:
>> "
>> Graham Williams, a Vancouver-based technology expert, points to what is
>> known as an "open authentication protocol" — or OAuth — where people
>> often unwittingly share personal information with third-party websites.
>> "
>> 
>> Ciao
>> Hannes
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> 
> 
> -- 
> 
> Best regards,
> Kathleen
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth