Re: [OAUTH-WG] OAuth Recharting

Hannes Tschofenig <> Tue, 05 January 2016 09:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B5521AD0C1 for <>; Tue, 5 Jan 2016 01:36:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.09
X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id czbhy8ak4G1P for <>; Tue, 5 Jan 2016 01:36:45 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E132E1AD0BE for <>; Tue, 5 Jan 2016 01:36:44 -0800 (PST)
Received: from [] ([]) by (mrgmx002) with ESMTPSA (Nemesis) id 0LikQP-1ZffFP3nzR-00cw9b for <>; Tue, 05 Jan 2016 10:36:43 +0100
To: "" <>
References: <>
From: Hannes Tschofenig <>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <>
Date: Tue, 05 Jan 2016 10:36:42 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="X3bj2UDp6Pllo3ltOhiKf3Ck9tHlwoKko"
X-Provags-ID: V03:K0:+aJxFPg6UZqAW+jsHf5K5paW5vl0SotilS1qcloigQ3pxA9zUWY oUU9yjAKokNllfBUbdGRRSQnwJbI8zO2hOWrvcc06lNHaW8pE7d5awHgOCkDihEK+NMBaW+ /qvhtCv+rTkjcil+rmEfbrdX0Id2Z0+mC/uJqIAX3DuJj7UY+7ilcUAU4z8cD3FZHqmiqib xQlzK+jVQgN64wd+PAS1A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:vNFSBItx1X0=:2ShBpstf4Y9JInASvMiD1h O9qRjZeMgF4L6NOWEKbDxZxTW2fsZUIgaFry7UBe8F8F6w3K5pFFrPO5yEchq98zLBTSTwrs1 tqnQsbmfqFLGFQqe80RfX4oVXadiXyU4J0f0Q6KeFbMcMn+qF8iEDCMXNTE2pN2puaph2nX8n YYDWBoQCFB5pGUFEdCGWAP3ajQVWd3kZSg9i7G8pyIHEC++GBGd9U4TnI9NykXsQB0bzsh302 Ir+lQVTA99oVgsWVypMs2V31dHmadgNXF6KAoZTo2dcwhsT0XFz1kTVK4ebYL1h6ff7VdCp1+ sEE+b+D6srS7UDMhw887lPhEqGFDNynamh+iUnCsnIW263neY/33KxbklOVODiv43NvShbiLe nI5scxs2mdDaPs5FtWQ7h8iZegaMmkHEos0T3d+pHtujrJ8RdXTfg16nhJiXzmBmvmEKr+N/d RKeEymg3G7Gms+BQx2Oa/9fZnZnDtiC0YitJJTiZBhj2DoSdQMEnBl/dTY+RYTH8uBor08ome 9brrWD21/CkYGyPoJCiUO/OMs2xpXKG6yxb17wGn1GljgkqRrYzr1lPRxr+haM2Khw+coGkhm /KgVMP9P/J9cwPP/BRhYidlxwS7w9jfgoN1Ov3olQJCkUnquZXR7rlu0Iftz+r80geswOPpyt NgLBeujJgbByUgAGhovk82B8d6v87xQeKpj9F/qEeaU/xAW/sLI1Cp9JzhsAvyUng7gZUvMY/ e7d1YghB4icAcESzYNgxB5dciLWMokLdLqH3zGIaifYAJFR8OC4vAyKfDIQ=
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth Recharting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Jan 2016 09:36:47 -0000

I would like to bring this item to your attention again since it may
have gotten lost due to the holidays.

Please let us know whether you have some additional remarks for the new
OAuth charter text. I believe the charter text is phrases generic enough
to cover the items we have been talking about in 2015.

I will post a few additional mails about the specifications I believe
should be dealt with in 2016.

Hannes & Derek

On 12/17/2015 04:59 PM, Hannes Tschofenig wrote:
> Hi all,
> at the last IETF meeting in Yokohama we had a rechartering discussion
> and below is proposed text for the new charter. Please take a look at it
> and tell me whether it appropriately covers the discussions from our
> last meeting.
> ---------------
> Charter Text
> The Web Authorization (OAuth) protocol allows a user to grant a
> third-party Web site or application access to the user's protected
> resources, without necessarily revealing their long-term credentials,
> or even their identity. For example, a photo-sharing site that
> supports OAuth could allow its users to use a third-party printing Web
> site to print their private pictures, without allowing the printing
> site to gain full control of the user's account and without having the
> user share his or her photo-sharing sites' long-term credential with
> the printing site.
> The OAuth 2.0 protocol suite already includes
> * a procedure for enabling a client to register with an authorization
> server,
> * a protocol for obtaining authorization tokens from an authorization
> server with the resource owner's consent, and
> * protocols for presenting these authorization tokens to protected
> resources for access to a resource.
> This protocol suite has been enhanced with functionality for
> interworking with legacy identity infrastructure (e.g., SAML), token
> revocation, token exchange, dynamic client registration, token
> introspection, a standardized token format with the JSON Web Token, and
> specifications that mitigate security attacks, such as Proof Key for
> Code Exchange.
> The ongoing standardization efforts within the OAuth working group
> focus on increasing interoperability of OAuth deployments and to
> improve security. More specifically, the working group is defining proof
> of possession tokens, developing a discovery mechanism,
> providing guidance for the use of OAuth with native apps, re-introducing
> the device flow used by devices with limited user interfaces, additional
> security enhancements for clients communicating with multiple service
> providers, definition of claims used with JSON Web Tokens, techniques to
> mitigate open redirector attacks, as well as guidance on encoding state
> information.
> For feedback and discussion about our specifications please
> subscribe to our public mailing list.
> For security related bug reports that relate to our specifications
> please contact <<TBD>>. If the reported bug
> report turns out to be implementation-specific we will
> attempt to forward it to the appropriate developers.
> ---------------
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list