Re: [OAUTH-WG] Rechartering

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 20 October 2011 19:52 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 922D511E809C for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 12:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViOdvnOmGjqv for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 12:52:32 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id A78B611E8083 for <oauth@ietf.org>; Thu, 20 Oct 2011 12:52:32 -0700 (PDT)
Received: (qmail 32468 invoked from network); 20 Oct 2011 19:52:20 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 20 Oct 2011 19:52:19 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Thu, 20 Oct 2011 12:52:15 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, OAuth WG <oauth@ietf.org>
Date: Thu, 20 Oct 2011 12:52:06 -0700
Thread-Topic: [OAUTH-WG] Rechartering
Thread-Index: AQHMjuZXC/llWGbx10K50cRi4wxHDZWFlltggAAMDYCAAAEiUIAAALEQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452631E918F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <725EAF50-3A82-4AAE-8C60-6D4C4AE52A79@gmx.net> <4E1F6AAD24975D4BA5B16804296739435C24DA48@TK5EX14MBXC283.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723452631E9186@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739435C24DBA0@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24DBA0@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 19:52:33 -0000

We also use HTTP, but we don't discuss it here.

OAuth discovery, automation, cross-vendor interop, and dynamic client registration are all part of one big topic. Before we can discuss any particular drafts or proposals, we must first understand the problem space, collect use cases and requirements, and figure out what we are trying to solve. Then we can decide if this is big enough for a new working group or not and charter the work. Once the WG starts working on it, it can decide based on the requirements which technologies to use and SWD can be one option.

However, even if an OAuth-related effort decides to use SWD, it is still not the place to work on it. SWD is clearly an Application area work and should be discussed there.

EHL


> -----Original Message-----
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Thursday, October 20, 2011 12:46 PM
> To: Eran Hammer-Lahav; Hannes Tschofenig; OAuth WG
> Subject: RE: [OAUTH-WG] Rechartering
> 
> Because it's intended for (and used for) discovery of OAuth endpoints...
> 
> -----Original Message-----
> From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
> Sent: Thursday, October 20, 2011 12:42 PM
> To: Mike Jones; Hannes Tschofenig; OAuth WG
> Subject: RE: [OAUTH-WG] Rechartering
> 
> What possible rational is there for SWD to belong in the OAuth working group
> and in the security area?
> 
> EHL
> 
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Mike Jones
> > Sent: Thursday, October 20, 2011 12:12 PM
> > To: Hannes Tschofenig; OAuth WG
> > Subject: Re: [OAUTH-WG] Rechartering
> >
> > Thanks, Hannes.  Here's my prioritized list of new work:
> >
> > 1.  JSON Web Token (JWT)
> > 2.  Simple Web Discovery (SWD)
> > 3.  JSON Web Token (JWT) Bearer Token Profile 4.  Token Revocation
> >
> > My prioritized list of existing work items to complete after the core
> > and bearer specs are:
> >
> > A.  Assertions Specification
> > B.  SAML Bearer Token Profile
> >
> > I am ambivalent about whether the working group takes on most of the
> > other work items.
> >
> > Responding to Eran's comments on SWD versus host-meta, these specs
> > have significantly different goals and use substantially different
> > mechanisms with different privacy characteristics.  Also, if you
> > compare the relative complexity of the example at
> > http://tools.ietf.org/html/draft-hammer-hostmeta-
> > 17#appendix-A versus the example at
> > http://tools.ietf.org/html/draft-jones-
> > simple-web-discovery-01#section-1, you can see why SWD was chosen for
> > use in OpenID Connect to discover OAuth authorization and resource
> > server endpoints.
> >
> > 				-- Mike
> >
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Hannes Tschofenig
> > Sent: Wednesday, October 19, 2011 10:09 PM
> > To: OAuth WG
> > Subject: [OAUTH-WG] Rechartering
> >
> > Hi all,
> >
> > in preparation of the upcoming IETF meeting Barry and I would like to
> > start a re-chartering discussion.  We both are currently attending the
> > Internet Identity Workshop and so we had the chance to solicit input
> > from the participants. This should serve as a discussion starter.
> >
> > Potential future OAuth charter items (in random order):
> >
> > ----------------
> >
> > 1) Dynamic Client Registration Protocol
> >
> > Available document:
> > http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/
> >
> > 2) Token Revocation
> >
> > Available document:
> > http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/
> >
> > 3) UMA
> >
> > Available document:
> > http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/
> >
> > 4) Client Instance Extension
> >
> > Available document:
> > http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt
> >
> > 5) XML Encoding
> >
> > Available document:
> > http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt
> >
> > 6) JSON Web Token
> >
> > Available document:
> > http://tools.ietf.org/html/draft-jones-json-web-token-05
> >
> > 7) JSON Web Token (JWT) Bearer Profile
> >
> > Available document:
> > http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00
> >
> > 8) User Experience Extension
> >
> > Available document:
> > http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00
> >
> > 9) Request by Reference
> >
> > Available document:
> > http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00
> >
> > 10) Simple Web Discovery
> >
> > Available document:
> > http://tools.ietf.org/html/draft-jones-simple-web-discovery-00
> >
> > ----------------
> >
> > We have the following questions:
> >
> > a) Are you interested in any of the above-listed items? (as a
> > reviewer, co- author, implementer, or someone who would like to
> > deploy). It is also useful to know if you think that we shouldn't work on a
> specific item.
> >
> > b) Are there other items you would like to see the group working on?
> >
> > Note: In case your document is expired please re-submit it.
> >
> > Ciao
> > Hannes & Barry
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth