IETF Logo Mail Archive

[OAUTH-WG] proposed agenda for second interim meeting

Peter Saint-Andre <stpeter@stpeter.im> Wed, 03 February 2010 05:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC7373A680A for <oauth@core3.amsl.com>; Tue, 2 Feb 2010 21:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=-0.047, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRIHfQUFjpA7 for <oauth@core3.amsl.com>; Tue, 2 Feb 2010 21:14:47 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 65FD83A62C1 for <oauth@ietf.org>; Tue, 2 Feb 2010 21:14:47 -0800 (PST)
Received: from squire.local (dsl-251-115.dynamic-dsl.frii.net [216.17.251.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id DB98E40332 for <oauth@ietf.org>; Tue, 2 Feb 2010 22:15:26 -0700 (MST)
Message-ID: <4B69066C.5050809@stpeter.im>
Date: Tue, 02 Feb 2010 22:15:24 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
X-Enigmail-Version: 1.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070507050203030001090108"
Subject: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 05:14:48 -0000

<hat type='chair'/>

At the first interim meeting, we didn't get through our agenda:

http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html

Therefore I propose that this time we focus on some unfinished business,
starting with the topic of authentication. I have reviewed all of the
related threads on the list and have come up with the following *rough*
agenda. Your feedback is welcome to improve this (a.k.a. "agenda
bashing") either on the list or during the meeting.

For logistics information, see here:

http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html

******

AGENDA

Base proposal: draft-ietf-oauth-authentication-01

Eran had hoped to push out a new version in time for our meeting, but
hasn't been able to get to it yet. However, I think we can continue to
move forward with discussion. Feedback is welcome on the general
approach, as well as specific open issues.

Open issues....

Issue #1: Request Signing vs. API Signing vs. Message Signing
http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html

1a. Seeming consensus for message signing.

1b. No consensus yet on message format.
    - JSON and textual key-value seem to be the leading candidates.

1c. Seeming consensus for multiple/extensible signature algorithms.
    - HMAC-SHA1
    - HMAC-SHA256
    - RSASSA-PKCS1-v1.5-SHA256
    - PLAIN over SSL/TLS

But: which of these are Mandatory-to-Implement?

Issue #2: Include the Normalized Request with the Request?
http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html

Seeming consensus to not include the normalized request (e.g.,
signature string).

Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption?
http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html

Seeming consensus that channel encryption is must-implement (which does
not necessarily mean must-deploy).

Issue #4: Authentication Challenges
http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html

If an authentication (access) request is unacceptable, how does the
server tell the client how it can provide proper credentials (e.g.,
by using a different algorithm)?

Possible other topics:

- Mutual auth?
  http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html

- Resource authorization?
  http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html

******

/psa

v2.23.0 | Report a Bug | By Email