IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 30 January 2009 22:35 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 84FD83A6987; Fri, 30 Jan 2009 14:35:46 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8AFE3A6987 for <oauth@core3.amsl.com>; Fri, 30 Jan 2009 14:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.523
X-Spam-Level:
X-Spam-Status: No, score=-4.523 tagged_above=-999 required=5 tests=[AWL=-1.925, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96OofzoCVF5m for <oauth@core3.amsl.com>; Fri, 30 Jan 2009 14:35:44 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 5868F3A6975 for <oauth@ietf.org>; Fri, 30 Jan 2009 14:35:44 -0800 (PST)
Received: (qmail 10034 invoked from network); 30 Jan 2009 22:35:21 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 30 Jan 2009 22:35:21 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 30 Jan 2009 15:35:21 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Blaine Cook <romeda@gmail.com>
Date: Fri, 30 Jan 2009 15:35:15 -0700
Thread-Topic: [oauth] OAUTH Charter Proposal
Thread-Index: AcmDDXP0PE16PZzvTS2CAgbb7hUV7QADBgvAAAReQWI=
Message-ID: <C5A8C0A3.11CC5%eran@hueniverse.com>
In-Reply-To: <035301c9832a$ae7d6b90$0201a8c0@nsnintra.net>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0495164254=="
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

I like the proposed charter. I think it offers enough flexibility for changes while maintaining the spirit and framework of the OAuth Core 1.0 spec.

EHL


On 1/30/09 2:32 PM, "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> wrote:

We need a couple of folks agreeing the charter proposals.

Next, there is the question whether a meeting slot at the next IETF meeting
(in San Francisco) should be requested (e.g., in the form of a BOF). This
would give some discussion time for the details of the BOF or if everyone
likes the charter till then already one could disuss the technical details
instead.

The Area Directors are then requested to charter a working group. They
discuss it within the IESG and get feedback from the IAB. They also need to
find chairs for the group.

Ciao
Hannes

>-----Original Message-----
>From: Blaine Cook [mailto:romeda@gmail.com]
>Sent: 30 January, 2009 21:04
>To: Hannes Tschofenig
>Cc: oauth@ietf.org
>Subject: Re: [oauth] OAUTH Charter Proposal
>
>+1. This looks awesome, thanks Hannes. What are the next steps? My
>understanding is that first we need some kind of consensus on
>this charter, and then ??
>
>b.
>
>On Fri, Jan 30, 2009 at 5:55 PM, Hannes Tschofenig
><Hannes.Tschofenig@gmx.net> wrote:
>> Hi all,
>>
>> After a chat with Lisa I got in touch with Eran to slightly
>revise the
>> charter text that Sam and Mark put together for the last
>IETF meeting.
>>
>> It should addresses some of the comments provided during the
>BOF. Your
>> feedback is welcome.
>>
>> Ciao
>> Hannes
>>
>> -------------------------------------
>>
>> Open Authentication Protocol (oauth)
>>
>> Last Modified: 2009-01-30
>>
>> Chair(s):
>>
>> TBD
>>
>> Applications Area Director(s):
>>
>> Chris Newman <chris.newman@sun.com>
>> Lisa Dusseault <lisa@osafoundation.org>
>>
>> Applications Area Advisor:
>>
>> TBD
>>
>> Mailing Lists:
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> Description of Working Group:
>>
>> OAuth allows a user to grant a third-party Web site or application
>> access to their resources, without revealing their credentials, or
>> even their identity. For example, a photo-sharing site that supports
>> OAuth would allow its users to use a third-party printing
>Web site to
>> access their private pictures, without gaining full control
>of the user account.
>>
>> OAuth consist of:
>>  * A mechanism for exchanging a user's credentials for a
>token-secret
>> pair which can be used by a third party to access resources on their
>> behalf
>>  * A mechanism for signing HTTP requests with the token-secret pair
>>
>> The Working Group will produce one or more documents suitable for
>> consideration as Proposed Standard, based upon the OAuth
>I-D, that will:
>>  * Align OAuth with the Internet and Web architectures, best
>practices
>> and terminology
>>  * Assure good security practice, or document gaps in its
>capabilities
>>  * Promote interoperability
>>
>> This specifically means that as a starting point for the
>working group
>> the OAuth 1.0 specification is used and the available
>extension points
>> are going to be utilized. It seems desireable to profile
>OAuth 1.0 in
>> a way that produces a specification that is a backwards compatible
>> profile, i.e. any OAUTH 1.0 and the specification produced by this
>> group must support a basic set of features to guarantee
>> interoperability.
>>
>> Furthermore, Oauth 1.0 defines three signature methods used
>to protect
>> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will
>> work on new signature methods in case the existing mechanisms do not
>> fulfill the security requirements. Existing signature
>methods will not
>> be modified but may be dropped as part of the backwards
>compatible profiling activity.
>>
>> In doing so, it should consider:
>>  * Implementer experience
>>  * Existing uses of OAuth
>>  * Ability to achieve broad impementation
>>  * Ability to address broader use cases than may be contemplated by
>> the original authors
>>  * Impact on the Internet and Web
>>
>> The Working Group is not tasked with defining a generally applicable
>> HTTP Authentication mechanism (i.e., browser-based "2-leg"
>scenerio),
>> and should consider this work out of scope in its discussions.
>> However, if the deliverables are able to be factored in such a way
>> that this is a byproduct, or such a scenario could be addressed by
>> additional future work, the Working Group may choose to do so.
>>
>> After delivering OAuth, the Working Group MAY consider defining
>> additional functions and/or extensions, for example (but not limited
>> to):
>>  * Discovery of authentication configuration
>>  * Message integrity
>>  * Recommendations regarding the structure of the token
>>
>> Goals and Milestones:
>>
>> 12/2009     Submit document(s) suitable for publication as
>standards-track
>> RFCs.
>>
>> _______________________________________________
>> oauth mailing list
>> oauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email