Re: [OAUTH-WG] proposed agenda for second interim meeting
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 04 February 2010 23:26 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8D333A6E87 for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 15:26:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.441
X-Spam-Level:
X-Spam-Status: No, score=-2.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krMHJlKwELg3 for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 15:26:30 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 952303A6E84 for <oauth@ietf.org>; Thu, 4 Feb 2010 15:26:30 -0800 (PST)
Received: (qmail 20967 invoked from network); 4 Feb 2010 23:27:18 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Feb 2010 23:27:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 4 Feb 2010 16:27:05 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Thu, 04 Feb 2010 16:26:50 -0700
Thread-Topic: [OAUTH-WG] proposed agenda for second interim meeting
Thread-Index: Acqkj+a9lzJH3q1LRSyqGkSaQ530hQAEQ2XQAFQfuoA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437DFBA305E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4B69066C.5050809@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 23:26:31 -0000
All these items are still open for discussion, even if we didn't get to them on the call. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Tuesday, February 02, 2010 11:25 PM > To: Peter Saint-Andre; OAuth WG > Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting > > Please add: > > - Discuss Adobe's recent request to allow excluding the host/port from the > signed message. > > - With regards to #4, how should the challenge identify the token to be used > (realm comes free, do we need another)? > > - Should a single token support multiple signature algorithms? This has > implications as to the information the client has to include with the request > (the algorithm used, etc.). > > - Where should the token structure live? OAuth 1.0 includes two response > parameters (token and token_secret). However, since we are now moving > towards having the algorithm part of the token definition, as well as duration > and other attributes, the server will need to provide this information to the > client. This calls for a simple schema (can be any format but need to agree to > consistent names). It is currently part of the authorization/delegation draft > (implicitly), but we should discuss moving it to the authentication draft since > that's where it is used (the authorization draft simply hands those "things" > out). > > EHL > > > -----Original Message----- > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > > Of Peter Saint-Andre > > Sent: Tuesday, February 02, 2010 9:15 PM > > To: OAuth WG > > Subject: [OAUTH-WG] proposed agenda for second interim meeting > > > > <hat type='chair'/> > > > > At the first interim meeting, we didn't get through our agenda: > > > > http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html > > > > Therefore I propose that this time we focus on some unfinished > > business, starting with the topic of authentication. I have reviewed > > all of the related threads on the list and have come up with the following > *rough* agenda. > > Your feedback is welcome to improve this (a.k.a. "agenda > > bashing") either on the list or during the meeting. > > > > For logistics information, see here: > > > > http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html > > > > ****** > > > > AGENDA > > > > Base proposal: draft-ietf-oauth-authentication-01 > > > > Eran had hoped to push out a new version in time for our meeting, but > > hasn't been able to get to it yet. However, I think we can continue to > > move forward with discussion. Feedback is welcome on the general > > approach, as well as specific open issues. > > > > Open issues.... > > > > Issue #1: Request Signing vs. API Signing vs. Message Signing > > http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html > > > > 1a. Seeming consensus for message signing. > > > > 1b. No consensus yet on message format. > > - JSON and textual key-value seem to be the leading candidates. > > > > 1c. Seeming consensus for multiple/extensible signature algorithms. > > - HMAC-SHA1 > > - HMAC-SHA256 > > - RSASSA-PKCS1-v1.5-SHA256 > > - PLAIN over SSL/TLS > > > > But: which of these are Mandatory-to-Implement? > > > > Issue #2: Include the Normalized Request with the Request? > > http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html > > > > Seeming consensus to not include the normalized request (e.g., > > signature string). > > > > Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption? > > http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html > > > > Seeming consensus that channel encryption is must-implement (which > > does not necessarily mean must-deploy). > > > > Issue #4: Authentication Challenges > > http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html > > > > If an authentication (access) request is unacceptable, how does the > > server tell the client how it can provide proper credentials (e.g., by > > using a different algorithm)? > > > > Possible other topics: > > > > - Mutual auth? > > http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html > > > > - Resource authorization? > > http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html > > > > ****** > > > > /psa > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] proposed agenda for second interim mee… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Blaine Cook
- [OAUTH-WG] UMA use cases (was Re: proposed agenda… Eve Maler
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Vrancken Bart bv
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Igor Faynberg
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Paul C. Bryan
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre