IETF Logo Mail Archive

Re: [OAUTH-WG] proposed agenda for second interim meeting

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 04 February 2010 23:26 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8D333A6E87 for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 15:26:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.441
X-Spam-Level:
X-Spam-Status: No, score=-2.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krMHJlKwELg3 for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 15:26:30 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 952303A6E84 for <oauth@ietf.org>; Thu, 4 Feb 2010 15:26:30 -0800 (PST)
Received: (qmail 20967 invoked from network); 4 Feb 2010 23:27:18 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Feb 2010 23:27:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 4 Feb 2010 16:27:05 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Thu, 04 Feb 2010 16:26:50 -0700
Thread-Topic: [OAUTH-WG] proposed agenda for second interim meeting
Thread-Index: Acqkj+a9lzJH3q1LRSyqGkSaQ530hQAEQ2XQAFQfuoA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437DFBA305E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4B69066C.5050809@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 23:26:31 -0000

All these items are still open for discussion, even if we didn't get to them on the call.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Eran Hammer-Lahav
> Sent: Tuesday, February 02, 2010 11:25 PM
> To: Peter Saint-Andre; OAuth WG
> Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
> 
> Please add:
> 
> - Discuss Adobe's recent request to allow excluding the host/port from the
> signed message.
> 
> - With regards to #4, how should the challenge identify the token to be used
> (realm comes free, do we need another)?
> 
> - Should a single token support multiple signature algorithms? This has
> implications as to the information the client has to include with the request
> (the algorithm used, etc.).
> 
> - Where should the token structure live? OAuth 1.0 includes two response
> parameters (token and token_secret). However, since we are now moving
> towards having the algorithm part of the token definition, as well as duration
> and other attributes, the server will need to provide this information to the
> client. This calls for a simple schema (can be any format but need to agree to
> consistent names). It is currently part of the authorization/delegation draft
> (implicitly), but we should discuss moving it to the authentication draft since
> that's where it is used (the authorization draft simply hands those "things"
> out).
> 
> EHL
> 
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Peter Saint-Andre
> > Sent: Tuesday, February 02, 2010 9:15 PM
> > To: OAuth WG
> > Subject: [OAUTH-WG] proposed agenda for second interim meeting
> >
> > <hat type='chair'/>
> >
> > At the first interim meeting, we didn't get through our agenda:
> >
> > http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html
> >
> > Therefore I propose that this time we focus on some unfinished
> > business, starting with the topic of authentication. I have reviewed
> > all of the related threads on the list and have come up with the following
> *rough* agenda.
> > Your feedback is welcome to improve this (a.k.a. "agenda
> > bashing") either on the list or during the meeting.
> >
> > For logistics information, see here:
> >
> > http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html
> >
> > ******
> >
> > AGENDA
> >
> > Base proposal: draft-ietf-oauth-authentication-01
> >
> > Eran had hoped to push out a new version in time for our meeting, but
> > hasn't been able to get to it yet. However, I think we can continue to
> > move forward with discussion. Feedback is welcome on the general
> > approach, as well as specific open issues.
> >
> > Open issues....
> >
> > Issue #1: Request Signing vs. API Signing vs. Message Signing
> > http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html
> >
> > 1a. Seeming consensus for message signing.
> >
> > 1b. No consensus yet on message format.
> >     - JSON and textual key-value seem to be the leading candidates.
> >
> > 1c. Seeming consensus for multiple/extensible signature algorithms.
> >     - HMAC-SHA1
> >     - HMAC-SHA256
> >     - RSASSA-PKCS1-v1.5-SHA256
> >     - PLAIN over SSL/TLS
> >
> > But: which of these are Mandatory-to-Implement?
> >
> > Issue #2: Include the Normalized Request with the Request?
> > http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html
> >
> > Seeming consensus to not include the normalized request (e.g.,
> > signature string).
> >
> > Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption?
> > http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html
> >
> > Seeming consensus that channel encryption is must-implement (which
> > does not necessarily mean must-deploy).
> >
> > Issue #4: Authentication Challenges
> > http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html
> >
> > If an authentication (access) request is unacceptable, how does the
> > server tell the client how it can provide proper credentials (e.g., by
> > using a different algorithm)?
> >
> > Possible other topics:
> >
> > - Mutual auth?
> >   http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html
> >
> > - Resource authorization?
> >   http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html
> >
> > ******
> >
> > /psa
> >
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email