IETF Logo Mail Archive

Re: [oauth] Last Call for Comments: OAuth Charter Text

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Tue, 17 February 2009 20:33 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 870F33A69FF for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 12:33:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.291
X-Spam-Level:
X-Spam-Status: No, score=-2.291 tagged_above=-999 required=5 tests=[AWL=0.308, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBtDNld5fLsK for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 12:33:08 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 939123A6882 for <oauth@ietf.org>; Tue, 17 Feb 2009 12:33:03 -0800 (PST)
Received: (qmail invoked by alias); 17 Feb 2009 20:03:55 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp071) with SMTP; 17 Feb 2009 21:03:55 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19q4IhKRtJq5LFru1dkDPnHBQntlHvpdDnZtRJoz2 Ngh/uN3YsGBgkd
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <3D3C75174CB95F42AD6BCC56E5555B45010DB8F0@FIESEXC015.nsn-intra.net> <499AE278.6050405@cs.tcd.ie>
Date: Tue, 17 Feb 2009 22:04:51 +0200
Message-ID: <00c901c9913b$056f0670$0201a8c0@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcmRGnhJIKg2ZYeFTFqTKpPsrKEE1AAIHBEw
In-Reply-To: <499AE278.6050405@cs.tcd.ie>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.52
Cc: oauth@ietf.org
Subject: Re: [oauth] Last Call for Comments: OAuth Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 20:33:09 -0000

I missed them and I will incorporate them.

Thanks for pointing me to them. 

Ciao
Hannes
 

>-----Original Message-----
>From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] 
>On Behalf Of Stephen Farrell
>Sent: 17 February, 2009 18:15
>To: Tschofenig, Hannes (NSN - FI/Espoo)
>Cc: oauth@ietf.org
>Subject: Re: [oauth] Last Call for Comments: OAuth Charter Text
>
>
>I made some comments before [1] that don't seem to have been 
>included here - was that deliberate or did they get missed?
>
>S.
>
>[1] http://www.ietf.org/mail-archive/web/oauth/current/msg00061.html
>
>Tschofenig, Hannes (NSN - FI/Espoo) wrote:
>> Hi all,
>> 
>> we have now discussed the charter text for some time and we got good 
>> feedback. I have tried to reflect it in an appropriate way.
>> 
>> I think it is about time to finish this part of the story. Please 
>> review the current charter text and make a judgement whether we can 
>> move forward with it.
>> 
>> Ciao
>> Hannes
>> 
>> 
>----------------------------------------------------------------------
>> --
>> -------------
>> 
>> Open Authentication Protocol (oauth)
>> 
>> Last Modified: 2009-01-30
>> 
>> Chair(s):
>> 
>> TBD
>> 
>> Applications Area Director(s):
>> 
>> Chris Newman <chris.newman@sun.com>
>> Lisa Dusseault <lisa@osafoundation.org>
>> 
>> Applications Area Advisor:
>> 
>> TBD
>> 
>> Mailing Lists:
>> 
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> Description of Working Group:
>> 
>> OAuth allows a user to grant a third-party Web site or application 
>> access to their resources, without revealing their credentials, or 
>> even their identity. For example, a photo-sharing site that supports 
>> OAuth would allow its users to use a third-party printing 
>Web site to 
>> access their private pictures, without gaining full control of the 
>> user account.
>> 
>> OAuth consists of:
>>   * A mechanism for exchanging a user's credentials for a 
>token-secret 
>> pair that can be used by a third party to access resources on their 
>> behalf.
>>   * A mechanism for signing HTTP requests with the token-secret pair.
>> 
>> The Working Group will produce one or more documents suitable for 
>> consideration as Proposed Standard, based upon the OAuth 
>I-D, that will:
>>   * Align OAuth with the Internet and Web architectures, best 
>> practices and terminology.
>>   * Assure good security practice, or document gaps in its 
>> capabilities, and propose a path forward for addressing the gap.
>>   * Promote interoperability.
>>   * Provide guidelines for extensibility.
>> 
>> This specifically means that as a starting point for the 
>working group 
>> the OAuth 1.0 specification is used and the available 
>extension points 
>> are going to be utilized. It seems desireable to profile 
>OAuth 1.0 in 
>> a way that produces a specification that is a backwards compatible 
>> profile, i.e. an OAuth 1.0 implementation and the specification 
>> produced by this group must support a basic set of features to 
>> guarantee interoperability.
>> 
>> Furthermore, OAuth 1.0 defines three signature methods used 
>to protect 
>> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will 
>> work on new signature methods and will describe the 
>environments where 
>> new security requirements justify their usage. Existing signature 
>> methods will not be modified but may be dropped as part of the 
>> backwards compatible profiling activity. The applicability 
>of existing 
>> and new signature methods to protocols other than HTTP will 
>be investigated.
>> 
>> In doing so, it should consider:
>>   * Implementer experience.
>>   * Existing uses of OAuth.
>>   * Ability to achieve broad impementation.
>>   * Ability to address broader use cases than may be contemplated by 
>> the original authors.
>>   * Impact on the Internet and Web.
>> 
>> The Working Group is not tasked with defining a generally applicable 
>> HTTP Authentication mechanism (i.e., browser-based "2-leg" 
>scenerio), 
>> and should consider this work out of scope in its discussions.  
>> However, if the deliverables are able to be factored in such a way 
>> that this is a byproduct, or such a scenario could be addressed by 
>> additional future work, the Working Group may choose to do so.
>> 
>> After delivering OAuth, the Working Group may consider defining 
>> additional functions and/or extensions, for example (but not limited
>> to):
>>   * Discovery of authentication configuration.
>>   * Message integrity.
>>   * Recommendations regarding the structure of the token.
>> 
>> Goals and Milestones:
>> 
>> Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
>> working group item
>>             (draft-hammer-oauth will be used as a starting point for 
>> further work.)
>> Sep 2009    Start Working Group Last Call on 'OAuth: HTTP 
>Authorization
>> Delegation Protocol'
>> Sep 2009    Discusion about OAUTH extensions the group should work on
>> Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to
>> the IESG for consideration as a Proposed Standard 
>> Nov 2009    Prepare milestone update to start new work 
>within the scope
>> of the charter
>> _______________________________________________
>> oauth mailing list
>> oauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>
>_______________________________________________
>oauth mailing list
>oauth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>

v2.43.4 | Report a Bug | By Email | System Status