IETF Logo Mail Archive

[oauth] Updated OAuth Charter Text

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 07 April 2009 14:11 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7916B3A6886 for <oauth@core3.amsl.com>; Tue, 7 Apr 2009 07:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.518
X-Spam-Level:
X-Spam-Status: No, score=-5.518 tagged_above=-999 required=5 tests=[AWL=1.081, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhwHsxFGwQ1F for <oauth@core3.amsl.com>; Tue, 7 Apr 2009 07:11:21 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [217.115.75.233]) by core3.amsl.com (Postfix) with ESMTP id 1C9063A69E1 for <oauth@ietf.org>; Tue, 7 Apr 2009 07:11:20 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n37ECP1D013967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Tue, 7 Apr 2009 16:12:25 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n37ECO15030342 for <oauth@ietf.org>; Tue, 7 Apr 2009 16:12:25 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 7 Apr 2009 16:11:21 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 07 Apr 2009 17:12:44 +0300
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B45013E80AA@FIESEXC015.nsn-intra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Updated OAuth Charter Text
Thread-Index: Acm3iuu/KyXNBFprRzuHqVrG4Cx7EA==
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth@ietf.org
X-OriginalArrivalTime: 07 Apr 2009 14:11:21.0454 (UTC) FILETIME=[BA3A90E0:01C9B78A]
Subject: [oauth] Updated OAuth Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2009 14:11:22 -0000

Based on the discussions during the IETF meeting we have updated the
charter text. 

There are two changes worth mentioning: 

** Backwards Compatibility ** 

I tried to clarify the term backwards compatibility based on text
provided by Peter Saint-Andre. Peter had some experience with this topic
already in the context of XMPP and I believe that the text they have
used in their original charter fits quite well. 

** 2-Legged Scenario **

Initially, the 2-legged scenario was out-of-scope. The opinion changed
and folks are now interested to also work on this use case within this
group. 



Here is the new version:

---------------------------


Open Authentication Protocol (oauth)

Last Modified: 2009-04-06

Chair(s):

TBD

Applications Area Director(s):

Alexey Melnikov <alexey.melnikov@isode.com>
Lisa Dusseault <lisa@osafoundation.org> 

Applications Area Advisor:

TBD

Mailing Lists:

https://www.ietf.org/mailman/listinfo/oauth

Description of Working Group:

OAuth allows a user to grant a third-party Web site or application
access to their resources, without necessarily revealing their
credentials, or even their identity. For example, a photo-sharing site
that supports OAuth would allow its users to use a third-party printing
Web site to access their private pictures, without gaining full control
of the user account.

OAuth consists of:
  * A mechanism for exchanging a user's credentials for a token-secret
pair which can be used by a third party to access resources on their
behalf.
  * A mechanism for signing HTTP requests with the token-secret pair.

The Working Group will produce one or more documents suitable for
consideration as Proposed Standard that will:
  * Improve the terminology used.
  * Embody good security practice, or document gaps in its capabilities,
and propose a path forward for addressing the gap.
  * Promote interoperability.
  * Provide guidelines for extensibility.

This specifically means that as a starting point for the working group
OAuth 1.0 (i.e., draft-hammer-oauth-00.txt), which is a copy of the
original OAuth specification in IETF draft format, is used and the
available extension points are going to be utilized. In completing its
work to profile OAuth 1.0 to become OAuth 1.1, the group will strive to
retain backwards compatibility with the OAuth 1.0 specification.
However, changes that are not backwards compatible might be accepted if
the group determines that the changes are required to meet the group's
technical objectives and the group clearly documents the reasons for
making them.

Furthermore, OAuth 1.0 defines three signature methods used to protect
requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work
on new signature methods and will describe the environments where new
security requirements justify their usage. Existing signature methods
will not be modified but may be dropped as part of the backwards
compatible profiling activity. The applicability of existing and new
signature methods to protocols other than HTTP will be investigated.

The Working Group should consider:
  * Implementer experience.
  * The end-user experience, including internationalization.
  * Existing uses of OAuth.
  * Ability to achieve broad implementation.
  * Ability to address broader use cases than may be contemplated by the
original authors.

After delivering OAuth 1.1, the Working Group may consider defining
additional functions and/or extensions, for example (but not limited
to):
 * Discovery of OAuth configuration, e.g.,
http://oauth.net/discovery/1.0.
 * Comprehensive message integrity, e.g.,
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.htm
l.
 * Recommendations regarding the structure of the token.
 * Localization, e.g.,
http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/
2/spec.html.
 * Session-oriented tokens, e.g.,
http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html.
 * Alternate token exchange profiles, e.g.,
draft-dehora-farrell-oauth-accesstoken-creds-00.

The work on extensions is within the scope of the working group charter
and requires consensus within the group to add new milestones. 

The Working Group will also define a generally applicable HTTP
authentication mechanism (i.e., browser-based "2-leg" scenerio).

Goals and Milestones:

Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
working group item
            (draft-hammer-oauth will be used as a starting point for
further work.)
Jul 2009    Submit a document as a working group item providing the
functionality of the 2-legged HTTP authentication mechanism 
Jul 2009    Start of discussion about OAuth extensions the group should
work on
Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
Delegation Protocol'
Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to
the IESG for consideration as a Proposed Standard 
Nov 2009    Start Working Group Last Call on the 2-legged HTTP
authentication mechanism document
Nov 2009    Prepare milestone update to start new work within the scope
of the charter
Dec 2009    Submit 2-legged HTTP authentication mechanism document to
the IESG for consideration as a Proposed Standard

v2.23.0 | Report a Bug | By Email