[oauth] Community Update
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 December 2008 21:40 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B46663A6A34; Thu, 18 Dec 2008 13:40:56 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48AE23A6A34 for <oauth@core3.amsl.com>; Thu, 18 Dec 2008 13:40:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.614
X-Spam-Level:
X-Spam-Status: No, score=-5.614 tagged_above=-999 required=5 tests=[AWL=-3.015, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2k79MZXC6ka for <oauth@core3.amsl.com>; Thu, 18 Dec 2008 13:40:54 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id DECFA3A692D for <oauth@ietf.org>; Thu, 18 Dec 2008 13:40:54 -0800 (PST)
Received: (qmail 9991 invoked from network); 18 Dec 2008 21:20:24 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 18 Dec 2008 21:20:13 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 18 Dec 2008 14:20:13 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@googlegroups.com" <oauth@googlegroups.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 18 Dec 2008 14:20:12 -0700
Thread-Topic: Community Update
Thread-Index: AclhVmljQ5yxVV/vgE2rrYCYTixlVw==
Message-ID: <C56FFE8C.101FE%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Subject: [oauth] Community Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
It has been a long time since we touched base as a community to check where
we are and where we want to go. The last time we got together for such a
discussion was at the OAuth Summit back in June. This is in no way an
official update, as I hold no official capacity within the community. But I
hope this is informational and useful.
---
* OAuth @ the IETF
Larry Halff, Blaine Cook, and I had conversations with folks from the IETF
community over the past few months. These resulted in an IETF BoF session at
the 73rd IETF meeting in MN last month. The BoF tried to answer two
questions:
1. Is the problem of delegated auth as presented in the sharing of passwords
across sites something the IETF community cares about and wants to work on?
2. If the answer to #1 is yes, is OAuth a good protocol to use as a starting
point for solving it ("starting point" does not imply anything regarding the
amount of changes)?
The answer to both questions was a strong yes from those present at the
meeting. The outcome of the meeting was to form the new oauth@ietf.org
mailing list and to work on the proposed WG charter, hopefully in time for
the next IETF meeting (74th, March 09 in CA).
The main issue which needs to be resolved now is the "backward
compatibility" language of the charter.
The current OAuth spec has been submitted as an internet draft and is
available at http://tools.ietf.org/html/draft-hammer-oauth-00. Note that the
only official spec at this point is located at http://oauth.net/core/1.0.
* OAuth IPR
The OAuth Core 1.0 specification IPR license has been completed with a
license attached to the spec (http://oauth.net/core/1.0) and signatures
collected from all contributors.
However, we were unable to come up with a satisfactory IPR policy for new
work moving forward. Much of this effort has moved over to the work of the
Open Web Foundation, which is currently discussing an IPR policy that will
provide the OAuth community with a workable solution.
At this point, proposals made with regard to OAuth do not have a clear IPR
policy attached, and each author must choose how to address that. The IETF
process, if successful, will produce a specification covered by the IETF IPR
policy, but that is extremely weak. It may not block adoption but it offers
much less protection than the current OAuth license.
* Extensions
There are currently 11 proposed OAuth extension. For the most part these are
individual efforts with little community support or interest. Part of the
work involved in writing the IETF charter and standardizing OAuth there is
to figure out which of these extensions fit within the IETF core spec, which
should be published as separate IETF standards, and which should remain as
an individual effort.
The current proposals are (available from http://code.google.com/p/oauth):
- OAuth Discovery
- Body Hash
- Body Signature
- Consumer Request
- Gadgets
- Key Rotation
- Language Preference
- Response Data Format
- Session
- OpenID extension
(http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid
_oauth_extension.html)
- Mobile
(http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-00)
Other proposals not yet formalized include Token Attributes (access type,
duration, scope), Token delegation (sharing tokens across multiple
consumers), Header signatures (signing HTTP headers), and other security
features.
* Mailing Lists
We currently have 3 OAuth mailing lists:
- OAuth (oauth@googlegroups.com)
- OAuth Extensions (oauth-extensions@googlegroups.com)
- OAuth IETF (oauth@ietf.org)
There are also a few language-specific lists:
- OAuth Ruby (http://groups.google.com/group/oauth-ruby)
- OAuth PHP (http://groups.google.com/group/oauth-for-php)
- OAuth Perl (http://groups.google.com/group/oauth-perl)
(I will send a separate post about how we should use these lists moving
forward).
---
Other topics we should review as the year comes to a close are the status
of:
* Adoption
* Tutorials and Documentations
* Code Libraries
If anyone is willing to write those up, please post in reply.
Thanks and Happy Holidays!
EHL
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [oauth] Community Update Eran Hammer-Lahav