IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Justin Richer <jricher@MIT.EDU> Wed, 14 May 2014 15:38 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53DEF1A0110 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 08:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.241
X-Spam-Level:
X-Spam-Status: No, score=-3.241 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPHCGO9ZZq9f for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 08:38:54 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by ietfa.amsl.com (Postfix) with ESMTP id 147C61A00CD for <oauth@ietf.org>; Wed, 14 May 2014 08:38:53 -0700 (PDT)
X-AuditID: 1209190c-f79946d000000c3b-a7-53738e07cf8d
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id C2.19.03131.70E83735; Wed, 14 May 2014 11:38:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s4EFcjkn001200; Wed, 14 May 2014 11:38:46 -0400
Received: from [18.189.28.96] ([18.189.28.96]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4EFchTv003473 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 14 May 2014 11:38:44 -0400
Content-Type: multipart/signed; boundary="Apple-Mail=_160C4D6C-2A9D-4BE0-B675-CB5CA622B0DF"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com>
Date: Wed, 14 May 2014 11:38:42 -0400
Message-Id: <84B60891-F9E1-4183-9031-8BED6315C70F@mit.edu>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1874)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAKsWRmVeSWpSXmKPExsUixCmqrcveVxxscPkOh8Xq/zcZLZbuvMdq cfLtKzYHZo/Fm/azeSxZ8pPJ4+7RiywBzFFcNimpOZllqUX6dglcGbOnPWIqeN/JWDH9ygHW BsbFpV2MnBwSAiYSN27eZoOwxSQu3FsPZHNxCAnMZpLYdfo2E4SzkVHi3byFzBDOYiaJ319/ gWWYBSYxSsw7OZ0ZpJ9XQE+iac1EJhBbWMBeYtXSr6wgNpuAqsT8lbeA4hwcnAKBEk2fvUDC LEDhuxtawFqZBWIl1i48zAIxxkri7P2LrCDlQgLZEgvnVIOERQT0JW4/ncMOcamsxKMPTSwT GAVmIbtiFpIrZoGNTZL4cmgSK4StLbFs4WtmCNtA4mnnKyzi+hJv3s2B6pWX2P52DlTcUmLx zBssELatxK2+BVA1dhKPpi1iXcDIvYpRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83s0QvNaV0 EyM4AiV5djC+Oah0iFGAg1GJh/eGc1GwEGtiWXFl7iFGSQ4mJVHe8o7iYCG+pPyUyozE4oz4 otKc1OJDjCpAux5tWH2BUYolLz8vVUmE90MbUB1vSmJlVWpRPkyZNAeLkjjvW2urYCGB9MSS 1OzU1ILUIpisDAeHkgSvaC9Qo2BRanpqRVpmTglCmomD8xCjBAcP0HB/kBre4oLE3OLMdIj8 KUZdjjvP17YwCYFdICXOq9ADVCQAUpRRmgc3B5ZQXzGKA70ozCsOMooHmIzhJr0CWsIEtOSE WxHIkpJEhJRUA2PLZtWmdEPxm60L7rX9kuIUtI7K7nRnmWece2fiXrMInk/fxK+klP2blLvP RmvKPgMZ059sOScmr5u/ytH8/pKzVye3qjT+eMdwMGNZ0CruLd7qix1Ozq9ITq/017jtnfzk qdnPxX6Xvv0Pmf7o+va12gekWEwNsuw/7RPaGRkV8X0P88NUxQAlluKMREMt5qLiRAC+0pIS gwMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/UL5uiUmgyn-mc46S3J8C3TZtMA8
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 15:38:58 -0000

I agree with Brian and object to the Authentication work item. I think there’s limited interest and utility in such a draft, especially now that OpenID Connect has been published and its core authentication capabilities are identical to what was called for in the other draft a year ago (a similarity, I’ll add, which was noted at the time). 

 — Justin

On May 14, 2014, at 8:24 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> I would object to 'OAuth Authentication' being picked up by the WG as a work item. The starting point draft has expired and it hasn't really been discusses since Berlin nearly a year ago.  As I recall, there was only very limited interest in it even then. I also don't believe it fits well with the WG charter.
> 
> I would suggest the WG consider picking up 'OAuth Symmetric Proof of Possession for Code Extension' for which there is an excellent starting point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a relativity simple security enhancement which addresses problems currently being encountered in deployments of native clients.  
> 
> 
> 
> 
> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> Hi all,
> 
> you might have seen that we pushed the assertion documents and the JWT
> documents to the IESG today. We have also updated the milestones on the
> OAuth WG page.
> 
> This means that we can plan to pick up new work in the group.
> We have sent a request to Kathleen to change the milestone for the OAuth
> security mechanisms to use the proof-of-possession terminology.
> 
> We also expect an updated version of the dynamic client registration
> spec incorporating last call feedback within about 2 weeks.
> 
> We would like you to think about adding the following milestones to the
> charter as part of the re-chartering effort:
> 
> -----
> 
> Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-richer-oauth-introspection-04>
> 
> Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
> a Proposed Standard
> Starting point: <draft-hunt-oauth-v2-user-a4c-01>
> 
> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-jones-oauth-token-exchange-00>
> 
> -----
> 
> We also updated the charter text to reflect the current situation. Here
> is the proposed text:
> 
> -----
> 
> Charter for Working Group
> 
> 
> The Web Authorization (OAuth) protocol allows a user to grant a
> third-party Web site or application access to the user's protected
> resources, without necessarily revealing their long-term credentials,
> or even their identity. For example, a photo-sharing site that
> supports OAuth could allow its users to use a third-party printing Web
> site to print their private pictures, without allowing the printing
> site to gain full control of the user's account and without having the
> user share his or her photo-sharing sites' long-term credential with
> the printing site.
> 
> The OAuth 2.0 protocol suite encompasses
> 
> * a protocol for obtaining access tokens from an authorization
> server with the resource owner's consent,
> * protocols for presenting these access tokens to resource server
> for access to a protected resource,
> * guidance for securely using OAuth 2.0,
> * the ability to revoke access tokens,
> * standardized format for security tokens encoded in a JSON format
>   (JSON Web Token, JWT),
> * ways of using assertions with OAuth, and
> * a dynamic client registration protocol.
> 
> The working group also developed security schemes for presenting
> authorization tokens to access a protected resource. This led to the
> publication of the bearer token, as well as work that remains to be
> completed on proof-of-possession and token exchange.
> 
> The ongoing standardization effort within the OAuth working group will
> focus on enhancing interoperability and functionality of OAuth
> deployments, such as a standard for a token introspection service and
> standards for additional security of OAuth requests.
> 
> -----
> 
> Feedback appreciated.
> 
> Ciao
> Hannes & Derek
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> -- 
> 	
> Brian Campbell
> Portfolio Architect
> @	bcampbell@pingidentity.com
> 	+1 720.317.2061
> Connect with us…
>        
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email