Re: [oauth] OAuth Charter Text (15th April 2009)
Paul Madsen <paul.madsen@gmail.com> Wed, 13 May 2009 13:12 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6E453A6D0E for <oauth@core3.amsl.com>; Wed, 13 May 2009 06:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEt+euqR46d7 for <oauth@core3.amsl.com>; Wed, 13 May 2009 06:12:00 -0700 (PDT)
Received: from mail-px0-f125.google.com (mail-px0-f125.google.com [209.85.216.125]) by core3.amsl.com (Postfix) with ESMTP id 5515D3A6C16 for <oauth@ietf.org>; Wed, 13 May 2009 06:12:00 -0700 (PDT)
Received: by pxi31 with SMTP id 31so212023pxi.29 for <oauth@ietf.org>; Wed, 13 May 2009 06:13:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=VJK5W/K+lCXDXvLJ3eD55vZJRo8ZRQMVqSlHStZd7qM=; b=ZeOWZAfZpWWI3z1nQ1yjnwZdo2bmobgulfNEP8kXNRdB6HyFDGHe4nVq3RehLxWNMP vEFJztpLzVO3zJSnpSvuzFVAONuuOG4o9LuPOfQmu69vhXpeYRgyjHGrwJKcJ2KU7PPN xgCMo7wIQA0LStMQvSp99j1enLhMFx7tSGdfg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=TA2sFQju0vrRgBHMtIV5s+BEfYsPbYAe5O1OtmSDhO0HHTQFZaAX7tvr3ZklkuYv89 EBF883D/JBOnMQPZvwm5RSdfZ6OwonQoHYmCPI1RKUeyveok7dxtApq7y2Fj9KEWJN9Z BxtRqsSocGrGrI2dyXQ+l7qhHoAKV9JIeWr04=
Received: by 10.115.48.12 with SMTP id a12mr791241wak.167.1242220410813; Wed, 13 May 2009 06:13:30 -0700 (PDT)
Received: from ?192.168.0.193? (CPE0016d3a0e409-CM0012256eb4b4.cpe.net.cable.rogers.com [99.224.67.178]) by mx.google.com with ESMTPS id j39sm1404448waf.45.2009.05.13.06.13.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 13 May 2009 06:13:29 -0700 (PDT)
Message-ID: <4A0AC774.3070806@gmail.com>
Date: Wed, 13 May 2009 09:13:24 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net>
In-Reply-To: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org, Adrian.Farrel@huawei.com
Subject: Re: [oauth] OAuth Charter Text (15th April 2009)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2009 13:12:01 -0000
the wording of the example below seems to imply that the photo-sharing site would necessarily support OAuth, but not the printing site paul Hannes Tschofenig wrote: > Open Authentication Protocol (oauth) > > Last Modified: 2009-04-15 > > Chair(s): > > TBD > > Applications Area Director(s): > > Alexey Melnikov <alexey.melnikov@isode.com> > Lisa Dusseault <lisa@osafoundation.org> > > Applications Area Advisor: > > TBD > > Mailing Lists: > > https://www.ietf.org/mailman/listinfo/oauth > > Description of Working Group: > > OAuth allows a user to grant a third-party Web site or application access to > the user's resources, without necessarily revealing the user's credentials, > or even the user's identity. For example, a photo-sharing site that supports > OAuth would allow its users to use a third-party printing Web site to access > the user's private pictures, without gaining full control of the user > account. > > OAuth consists of: > * A mechanism for exchanging a user's credentials for a token-secret pair, > which can be used by a third party to access resources on the user's behalf. > * A mechanism for signing HTTP requests with the token-secret pair. > > The Working Group will produce one or more documents suitable for > consideration as Proposed Standard that will: > * Improve the terminology used. > * Embody good security practice, or document gaps in its capabilities, and > propose a path forward for addressing the gaps. > * Promote interoperability. > * Provide guidelines for extensibility. > > This specifically means that as a starting point for the working group OAuth > 1.0 (i.e., draft-hammer-oauth-00.txt), which is a copy of the original OAuth > specification in IETF draft format, is used and the available extension > points are going to be utilized. In completing its work to profile OAuth 1.0 > to become OAuth 1.1, the group will strive to retain backward compatibility > with the OAuth 1.0 specification. However, changes that are not backward > compatible might be accepted if the group determines that the changes are > required to meet the group's technical objectives and the group clearly > documents the reasons for making them. > > Furthermore, OAuth 1.0 defines three signature methods used to protect > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on > new signature methods and will describe the environments where new security > requirements justify their usage. Existing signature methods will not be > modified, but may be dropped as part of the backward compatible profiling > activity. The applicability of existing and new signature methods to > protocols other than HTTP will be investigated. > > The Working Group should consider: > * Implementer experience. > * The end-user experience, including internationalization. > * Existing uses of OAuth. > * Ability to achieve broad implementation. > * Ability to address broader use cases than may be contemplated by the > original authors. > > After delivering OAuth 1.1, the Working Group may consider defining > additional functions and/or extensions, for example (but not limited to): > * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0. > * Comprehensive message integrity, e.g., > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html. > * Recommendations regarding the structure of the token. > * Localization, e.g., > http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp > ec.html. > * Session-oriented tokens, e.g., > http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > * Alternate token exchange profiles, e.g., > draft-dehora-farrell-oauth-accesstoken-creds-00. > > The work on extensions is within the scope of the working group charter, but > requires consensus within the group to add new milestones. > > The Working Group will also define a generally applicable HTTP > authentication mechanism (i.e., browser-based "2-leg" scenario). > > Goals and Milestones: > > Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as > working group item > (draft-hammer-oauth will be used as a starting point for further > work.) > Jul 2009 Submit a document as a working group item providing the > functionality of the 2-legged HTTP authentication mechanism > Jul 2009 Start of discussion about OAuth extensions the group should work > on > Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization > Delegation Protocol' > Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to the > IESG for consideration as a Proposed Standard > Nov 2009 Start Working Group Last Call on the 2-legged HTTP > authentication mechanism document > Nov 2009 Prepare milestone update to start new work within the scope of > the charter > Dec 2009 Submit 2-legged HTTP authentication mechanism document to the > IESG for consideration as a Proposed Standard > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [oauth] OAuth Charter Text (15th April 2009) Hannes Tschofenig
- Re: [oauth] OAuth Charter Text (15th April 2009) Richard Barnes
- Re: [oauth] OAuth Charter Text (15th April 2009) Hannes Tschofenig
- Re: [oauth] OAuth Charter Text (15th April 2009) Paul Madsen
- Re: [oauth] OAuth Charter Text (15th April 2009) James Aylett