[oauth] Community Update
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 December 2008 21:40 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B46663A6A34; Thu, 18 Dec 2008 13:40:56 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48AE23A6A34 for <oauth@core3.amsl.com>; Thu, 18 Dec 2008 13:40:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.614
X-Spam-Level:
X-Spam-Status: No, score=-5.614 tagged_above=-999 required=5 tests=[AWL=-3.015, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2k79MZXC6ka for <oauth@core3.amsl.com>; Thu, 18 Dec 2008 13:40:54 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id DECFA3A692D for <oauth@ietf.org>; Thu, 18 Dec 2008 13:40:54 -0800 (PST)
Received: (qmail 9991 invoked from network); 18 Dec 2008 21:20:24 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 18 Dec 2008 21:20:13 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 18 Dec 2008 14:20:13 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@googlegroups.com" <oauth@googlegroups.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 18 Dec 2008 14:20:12 -0700
Thread-Topic: Community Update
Thread-Index: AclhVmljQ5yxVV/vgE2rrYCYTixlVw==
Message-ID: <C56FFE8C.101FE%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Subject: [oauth] Community Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
It has been a long time since we touched base as a community to check where we are and where we want to go. The last time we got together for such a discussion was at the OAuth Summit back in June. This is in no way an official update, as I hold no official capacity within the community. But I hope this is informational and useful. --- * OAuth @ the IETF Larry Halff, Blaine Cook, and I had conversations with folks from the IETF community over the past few months. These resulted in an IETF BoF session at the 73rd IETF meeting in MN last month. The BoF tried to answer two questions: 1. Is the problem of delegated auth as presented in the sharing of passwords across sites something the IETF community cares about and wants to work on? 2. If the answer to #1 is yes, is OAuth a good protocol to use as a starting point for solving it ("starting point" does not imply anything regarding the amount of changes)? The answer to both questions was a strong yes from those present at the meeting. The outcome of the meeting was to form the new oauth@ietf.org mailing list and to work on the proposed WG charter, hopefully in time for the next IETF meeting (74th, March 09 in CA). The main issue which needs to be resolved now is the "backward compatibility" language of the charter. The current OAuth spec has been submitted as an internet draft and is available at http://tools.ietf.org/html/draft-hammer-oauth-00. Note that the only official spec at this point is located at http://oauth.net/core/1.0. * OAuth IPR The OAuth Core 1.0 specification IPR license has been completed with a license attached to the spec (http://oauth.net/core/1.0) and signatures collected from all contributors. However, we were unable to come up with a satisfactory IPR policy for new work moving forward. Much of this effort has moved over to the work of the Open Web Foundation, which is currently discussing an IPR policy that will provide the OAuth community with a workable solution. At this point, proposals made with regard to OAuth do not have a clear IPR policy attached, and each author must choose how to address that. The IETF process, if successful, will produce a specification covered by the IETF IPR policy, but that is extremely weak. It may not block adoption but it offers much less protection than the current OAuth license. * Extensions There are currently 11 proposed OAuth extension. For the most part these are individual efforts with little community support or interest. Part of the work involved in writing the IETF charter and standardizing OAuth there is to figure out which of these extensions fit within the IETF core spec, which should be published as separate IETF standards, and which should remain as an individual effort. The current proposals are (available from http://code.google.com/p/oauth): - OAuth Discovery - Body Hash - Body Signature - Consumer Request - Gadgets - Key Rotation - Language Preference - Response Data Format - Session - OpenID extension (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid _oauth_extension.html) - Mobile (http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-00) Other proposals not yet formalized include Token Attributes (access type, duration, scope), Token delegation (sharing tokens across multiple consumers), Header signatures (signing HTTP headers), and other security features. * Mailing Lists We currently have 3 OAuth mailing lists: - OAuth (oauth@googlegroups.com) - OAuth Extensions (oauth-extensions@googlegroups.com) - OAuth IETF (oauth@ietf.org) There are also a few language-specific lists: - OAuth Ruby (http://groups.google.com/group/oauth-ruby) - OAuth PHP (http://groups.google.com/group/oauth-for-php) - OAuth Perl (http://groups.google.com/group/oauth-perl) (I will send a separate post about how we should use these lists moving forward). --- Other topics we should review as the year comes to a close are the status of: * Adoption * Tutorials and Documentations * Code Libraries If anyone is willing to write those up, please post in reply. Thanks and Happy Holidays! EHL _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [oauth] Community Update Eran Hammer-Lahav