[OAUTH-WG] proposed agenda for second interim meeting
Peter Saint-Andre <stpeter@stpeter.im> Wed, 03 February 2010 05:14 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC7373A680A for <oauth@core3.amsl.com>; Tue, 2 Feb 2010 21:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=-0.047, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRIHfQUFjpA7 for <oauth@core3.amsl.com>; Tue, 2 Feb 2010 21:14:47 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 65FD83A62C1 for <oauth@ietf.org>; Tue, 2 Feb 2010 21:14:47 -0800 (PST)
Received: from squire.local (dsl-251-115.dynamic-dsl.frii.net [216.17.251.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id DB98E40332 for <oauth@ietf.org>; Tue, 2 Feb 2010 22:15:26 -0700 (MST)
Message-ID: <4B69066C.5050809@stpeter.im>
Date: Tue, 02 Feb 2010 22:15:24 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
X-Enigmail-Version: 1.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070507050203030001090108"
Subject: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 05:14:48 -0000
<hat type='chair'/> At the first interim meeting, we didn't get through our agenda: http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html Therefore I propose that this time we focus on some unfinished business, starting with the topic of authentication. I have reviewed all of the related threads on the list and have come up with the following *rough* agenda. Your feedback is welcome to improve this (a.k.a. "agenda bashing") either on the list or during the meeting. For logistics information, see here: http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html ****** AGENDA Base proposal: draft-ietf-oauth-authentication-01 Eran had hoped to push out a new version in time for our meeting, but hasn't been able to get to it yet. However, I think we can continue to move forward with discussion. Feedback is welcome on the general approach, as well as specific open issues. Open issues.... Issue #1: Request Signing vs. API Signing vs. Message Signing http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html 1a. Seeming consensus for message signing. 1b. No consensus yet on message format. - JSON and textual key-value seem to be the leading candidates. 1c. Seeming consensus for multiple/extensible signature algorithms. - HMAC-SHA1 - HMAC-SHA256 - RSASSA-PKCS1-v1.5-SHA256 - PLAIN over SSL/TLS But: which of these are Mandatory-to-Implement? Issue #2: Include the Normalized Request with the Request? http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html Seeming consensus to not include the normalized request (e.g., signature string). Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption? http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html Seeming consensus that channel encryption is must-implement (which does not necessarily mean must-deploy). Issue #4: Authentication Challenges http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html If an authentication (access) request is unacceptable, how does the server tell the client how it can provide proper credentials (e.g., by using a different algorithm)? Possible other topics: - Mutual auth? http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html - Resource authorization? http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html ****** /psa
- [OAUTH-WG] proposed agenda for second interim mee… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Blaine Cook
- [OAUTH-WG] UMA use cases (was Re: proposed agenda… Eve Maler
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Vrancken Bart bv
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Igor Faynberg
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Paul C. Bryan
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre