IETF Logo Mail Archive

Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)

Mike Jones <Michael.Jones@microsoft.com> Wed, 09 May 2012 17:42 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3328321F8523 for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 10:42:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.93
X-Spam-Level:
X-Spam-Status: No, score=-3.93 tagged_above=-999 required=5 tests=[AWL=-0.331, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUdW5tt-irLR for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 10:42:00 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe003.messaging.microsoft.com [213.199.154.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8159421F84CF for <oauth@ietf.org>; Wed, 9 May 2012 10:41:59 -0700 (PDT)
Received: from mail27-db3-R.bigfish.com (10.3.81.243) by DB3EHSOBE002.bigfish.com (10.3.84.22) with Microsoft SMTP Server id 14.1.225.23; Wed, 9 May 2012 17:41:58 +0000
Received: from mail27-db3 (localhost [127.0.0.1]) by mail27-db3-R.bigfish.com (Postfix) with ESMTP id 5F05722040A; Wed, 9 May 2012 17:41:58 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I936eK119bJ542M1432N4015Izz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail27-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail27-db3 (localhost.localdomain [127.0.0.1]) by mail27-db3 (MessageSwitch) id 1336585316273771_7403; Wed, 9 May 2012 17:41:56 +0000 (UTC)
Received: from DB3EHSMHS011.bigfish.com (unknown [10.3.81.231]) by mail27-db3.bigfish.com (Postfix) with ESMTP id 3AD59460101; Wed, 9 May 2012 17:41:56 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS011.bigfish.com (10.3.87.111) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 9 May 2012 17:41:54 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.230]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0298.005; Wed, 9 May 2012 17:41:51 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Thread-Topic: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
Thread-Index: AQHNLe/U7lxxYZiJR0mVsPXZ1ZwHY5bBt/uA
Date: Wed, 09 May 2012 17:41:50 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943664CDA55@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <20120503181339.17651.84259.idtracker@ietfa.amsl.com> <CALaySJKLytyKdS=AUpa5wgRNBe96sHgZ1n0kGnO8fWyU4p-=vQ@mail.gmail.com> <4FAA7EB6.6050604@cs.tcd.ie>
In-Reply-To: <4FAA7EB6.6050604@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 17:42:01 -0000

Looks pretty good to me.  I might consider adding a sentence in the paragraph that motivates the new work items (that starts with "The ongoing standardization effort") to motivate the JWT work items.  For instance "Having a standard JSON-based assertion format and a profile for using it with OAuth will both improve interoperability among selected OAuth deployments and facilitate deployments."  (All the other new work items are already motivated in that paragraph.)

Typo:  Change "a authorization" to "an authorization".

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell
Sent: Wednesday, May 09, 2012 7:27 AM
To: oauth-chairs@tools.ietf.org
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)


Hi,

There's been a bit of IESG comment on the proposed new charter resulting in a few editorial changes. So just in case, the text below is what I'd like to propose for approval on Thursday.

Let me know if there's anything substantively wrong here, in which case, we'll probably want to re-spin the text and I'll put it back for consideration on the following IESG meeting (another two weeks).

Thanks,
Stephen.

> ------------------------------------------
> Web Authorization Protocol (oauth)
> ------------------------------------------
> Current Status: Active
> Last updated: 2012-05-03
>
> Chairs:
>  Hannes Tschofenig <Hannes.Tschofenig@gmx.net>  Derek Atkins 
> <derek@ihtfp.com>
>
> Security Area Directors:
>  Stephen Farrell <stephen.farrell@cs.tcd.ie>  Sean Turner 
> <turners@ieca.com>
>
> Security Area Advisor:
>  Stephen Farrell <stephen.farrell@cs.tcd.ie>
>
> Technical Advisor:
>  Peter Saint-Andre <stpeter@stpeter.im>
>
> Mailing Lists:
>  Address:      oauth@ietf.org
>  To Subscribe: https://www.ietf.org/mailman/listinfo/oauth
>  Archive:      http://www.ietf.org/mail-archive/web/oauth/
>
> Description of Working Group:
>
> The Web Authorization (OAuth) protocol allows a user to grant a 
> third-party Web site or application access to the user's protected 
> resources, without necessarily revealing their long-term credentials, 
> or even their identity. For example, a photo-sharing site that 
> supports OAuth could allow its users to use a third-party printing Web 
> site to print their private pictures, without allowing the printing 
> site to gain full control of the user's account and without having the 
> user sharing his or her photo-sharing sites' long-term credential with 
> the printing site.
>
> The OAuth protocol suite encompasses
> * a procedure for allowing a client to discover a authorization 
> server,
> * a protocol for obtaining authorization tokens from an authorization
>   server with the resource owner's consent,
> * protocols for presenting these authorization tokens to protected
>   resources for access to a resource, and
> * consequently for sharing data in a security and privacy respective way.
>
> The working group also developed security schemes for presenting 
> authorization tokens to access a protected resource. This led to the 
> publication of the bearer token, as well as work that remains to be 
> completed on message authentication code (MAC) access authentication 
> and SAML assertions to interwork with existing identity management 
> solutions.  The working group will complete those remaining documents, 
> and will also complete documentation of the OAuth threat model that 
> was started under the previous charter.
>
> The ongoing standardization effort within the OAuth working group will 
> focus on enhancing interoperability of OAuth deployments.  A standard 
> for a token revocation service, which can be separated from the 
> existing web tokens to the token repertoire will enable wider 
> deployment of OAuth.  Extended documentation of OAuth use cases will 
> enhance the understanding of the OAuth framework and provide 
> assistance to implementors.  And dynamic client registration will make 
> it easier to broadly deploy OAuth clients (performing services to users).
>
> Goals and Milestones
>
> Done  Submit 'OAuth 2.0 Threat Model and Security Considerations' as a
>     working group item
> Done  Submit 'HTTP Authentication: MAC Authentication' as a working
>     group item
> Done  Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for
>     consideration as a Proposed Standard Done  Submit 'The OAuth 2.0 
> Authorization Protocol' to the IESG for
>     consideration as a Proposed Standard
>
> May  2012  Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to
>          the IESG for consideration as a Proposed Standard May  2012  
> Submit 'OAuth 2.0 Assertion Profile' to the IESG for
>          consideration as a Proposed Standard May  2012  Submit 'An 
> IETF URN Sub-Namespace for OAuth' to the IESG for
>          consideration as a Proposed Standard May  2012  Submit 'OAuth 
> 2.0 Threat Model and Security Considerations'
>          to the IESG for consideration as an Informational RFC Dec. 
> 2012  Submit 'HTTP Authentication: MAC Authentication' to the IESG
>          for consideration as a Proposed Standard
>
> Aug. 2012  Submit 'Token Revocation' to the IESG for consideration as a
>          Proposed Standard
> [Starting point for the work will be
> http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/]
>
> Nov. 2012  Submit 'JSON Web Token (JWT)' to the IESG for consideration
>          as a Proposed Standard
> [Starting point for the work will be
> http://tools.ietf.org/html/draft-jones-json-web-token]
>
> Nov. 2012  Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth
>          2.0' to the IESG for consideration as a Proposed Standard 
> [Starting point for the work will be 
> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer]
>
> Dec. 2012  Submit 'OAuth Use Cases' to the IESG for consideration as an
>          Informational RFC
> [Starting point for the work will be
> http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases]
>
> Jul. 2013  Submit 'OAuth Dynamic Client Registration Protocol' to the
>          IESG for consideration as a Proposed Standard [Starting point 
> for the work will be 
> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg]
> ------------------------------------------
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email