[OAUTH-WG] Transactional Authorization: TXAuth Mailing List and BoF

Justin Richer <jricher@mit.edu> Thu, 26 September 2019 21:22 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9620E120178 for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2019 14:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOWIb7Eirpsr for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2019 14:22:05 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E5741200CD for <oauth@ietf.org>; Thu, 26 Sep 2019 14:22:05 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id x8QLL2ea016108 for <oauth@ietf.org>; Thu, 26 Sep 2019 17:21:34 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Thu, 26 Sep 2019 17:20:58 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11expo18.exchange.mit.edu (18.9.4.49) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 26 Sep 2019 17:21:40 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Thu, 26 Sep 2019 17:21:40 -0400
From: Justin Richer <jricher@mit.edu>
To: oauth <oauth@ietf.org>
Thread-Topic: Transactional Authorization: TXAuth Mailing List and BoF
Thread-Index: AQHVdLBiU3zC4A9flUOANy/+ycP6SQ==
Date: Thu, 26 Sep 2019 21:21:40 +0000
Message-ID: <38043DF4-6BB2-4B3B-8EC0-B085B19D52CB@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [50.206.22.50]
Content-Type: multipart/alternative; boundary="_000_38043DF46BB24B3B8EC0B085B19D52CBmitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KXq0hQA7qACfJ9Kw-ctufUDkGnc>
Subject: [OAUTH-WG] Transactional Authorization: TXAuth Mailing List and BoF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 21:22:08 -0000

Following up from the discussion in Montreal, we’ve created the non-working-group mailing list TXAuth to start discussion of transactional authorization work. Please join the list here:

https://www.ietf.org/mailman/listinfo/txauth

We’ve also proposed a BoF for Singapore. The details of the agenda are still being discussed, and the description follows:

The OAuth protocol and its extensions have provided a powerful set of security capabilities for the internet over the last decade. A transactional model for collecting user consent, describing authorization requests, and delegating authority to another party could provide additional flexibility and power in ways that extending the existing OAuth 2.0 framework does not allow. Additionally, OAuth 2’s many extensions provide point solutions to similar problems that could be better addressed by a unified underlying design. The goal of this BoF is to discuss the additional needs in delegated authorization protocols, gauge the current thinking on how to address them, and to examine how some current and proposed efforts approach such problems. The goal of this BoF is not to discuss how to extend the OAuth 2 protocol itself.

We’ll be talking about use cases that are driving extensions and OAuth-adjacent work, and how this transactional model differs from the OAuth model we’ve all gotten used to. I’ll be presenting the current state of XYZ, but this isn’t just a meeting to adopt XYZ as a solution, and I invite others to present their related work. From this meeting we should have a good sense of where we want to go with this kind of work in the future, including whether this is new work in the OAuth WG or if we should be starting a new WG. I hope to see you all on the new list and in the room for the BoF!

— Justin