Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
George Fletcher <gffletch@aol.com> Wed, 14 May 2014 17:23 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD3D1A0127 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sc3NNslpm4qW for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:23:10 -0700 (PDT)
Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD401A013E for <oauth@ietf.org>; Wed, 14 May 2014 10:23:08 -0700 (PDT)
Received: from mtaout-mac02.mx.aol.com (mtaout-mac02.mx.aol.com [172.26.222.206]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id 38D0E70274DFC for <oauth@ietf.org>; Wed, 14 May 2014 13:23:01 -0400 (EDT)
Received: from [10.181.176.188] (unknown [10.181.176.188]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mac02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id E9615380000B2 for <oauth@ietf.org>; Wed, 14 May 2014 13:23:00 -0400 (EDT)
Message-ID: <5373A674.1060700@aol.com>
Date: Wed, 14 May 2014 13:23:00 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <84B60891-F9E1-4183-9031-8BED6315C70F@mit.edu> <-968574624925308911@unknownmsgid>
In-Reply-To: <-968574624925308911@unknownmsgid>
Content-Type: multipart/alternative; boundary="------------070407000600050405060503"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/98021
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1400088181; bh=vo4y7MEjrQ/1sAT50I3uooToR3jhmanw6Vl44Fg7GKU=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=K3ydv2iIyUxM5UkVHdNcjnzqxY3XnOztXzhtb4CViIoCXw3Skq60P1f9+YNASvzmO MLhQQGh+RuyKvijyzBFfLE6FSHlYlswZ7SHUzcFQcTgiDSjtirBmohQxHbAeXp0miA 3jm6bpA7b+qUMWP3PAvqVxLHmKZzochfuZ3qKJVw=
x-aol-sid: 3039ac1adece5373a6745c84
X-AOL-IP: 10.181.176.188
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VyqpQWHZJVsunPawQg_ltCpLjm4
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 17:23:13 -0000
I also would like to see the WG not focus on another authentication mechanism and instead look at work like Brian suggested. Thanks, George On 5/14/14, 11:41 AM, Chuck Mortimore wrote: > Agree with Brian and Justin here. Work is already covered in Connect > > - cmort > > On May 14, 2014, at 8:39 AM, Justin Richer <jricher@mit.edu > <mailto:jricher@mit.edu>> wrote: > >> I agree with Brian and object to the Authentication work item. I >> think there’s limited interest and utility in such a draft, >> especially now that OpenID Connect has been published and its core >> authentication capabilities are identical to what was called for in >> the other draft a year ago (a similarity, I’ll add, which was noted >> at the time). >> >> — Justin >> >> On May 14, 2014, at 8:24 AM, Brian Campbell >> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >> >>> I would object to 'OAuth Authentication' being picked up by the WG >>> as a work item. The starting point draft has expired and it hasn't >>> really been discusses since Berlin nearly a year ago. As I recall, >>> there was only very limited interest in it even then. I also don't >>> believe it fits well with the WG charter. >>> >>> I would suggest the WG consider picking up 'OAuth Symmetric Proof of >>> Possession for Code Extension' for which there is an excellent >>> starting point of >>> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a >>> relativity simple security enhancement which addresses problems >>> currently being encountered in deployments of native clients. >>> >>> >>> >>> >>> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig >>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >>> >>> Hi all, >>> >>> you might have seen that we pushed the assertion documents and >>> the JWT >>> documents to the IESG today. We have also updated the milestones >>> on the >>> OAuth WG page. >>> >>> This means that we can plan to pick up new work in the group. >>> We have sent a request to Kathleen to change the milestone for >>> the OAuth >>> security mechanisms to use the proof-of-possession terminology. >>> >>> We also expect an updated version of the dynamic client registration >>> spec incorporating last call feedback within about 2 weeks. >>> >>> We would like you to think about adding the following milestones >>> to the >>> charter as part of the re-chartering effort: >>> >>> ----- >>> >>> Nov 2014 Submit 'Token introspection' to the IESG for >>> consideration as a >>> Proposed Standard >>> Starting point: <draft-richer-oauth-introspection-04> >>> >>> Jan 2015 Submit 'OAuth Authentication' to the IESG for >>> consideration as >>> a Proposed Standard >>> Starting point: <draft-hunt-oauth-v2-user-a4c-01> >>> >>> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a >>> Proposed Standard >>> Starting point: <draft-jones-oauth-token-exchange-00> >>> >>> ----- >>> >>> We also updated the charter text to reflect the current >>> situation. Here >>> is the proposed text: >>> >>> ----- >>> >>> Charter for Working Group >>> >>> >>> The Web Authorization (OAuth) protocol allows a user to grant a >>> third-party Web site or application access to the user's protected >>> resources, without necessarily revealing their long-term >>> credentials, >>> or even their identity. For example, a photo-sharing site that >>> supports OAuth could allow its users to use a third-party >>> printing Web >>> site to print their private pictures, without allowing the printing >>> site to gain full control of the user's account and without >>> having the >>> user share his or her photo-sharing sites' long-term credential with >>> the printing site. >>> >>> The OAuth 2.0 protocol suite encompasses >>> >>> * a protocol for obtaining access tokens from an authorization >>> server with the resource owner's consent, >>> * protocols for presenting these access tokens to resource server >>> for access to a protected resource, >>> * guidance for securely using OAuth 2.0, >>> * the ability to revoke access tokens, >>> * standardized format for security tokens encoded in a JSON format >>> (JSON Web Token, JWT), >>> * ways of using assertions with OAuth, and >>> * a dynamic client registration protocol. >>> >>> The working group also developed security schemes for presenting >>> authorization tokens to access a protected resource. This led to the >>> publication of the bearer token, as well as work that remains to be >>> completed on proof-of-possession and token exchange. >>> >>> The ongoing standardization effort within the OAuth working >>> group will >>> focus on enhancing interoperability and functionality of OAuth >>> deployments, such as a standard for a token introspection >>> service and >>> standards for additional security of OAuth requests. >>> >>> ----- >>> >>> Feedback appreciated. >>> >>> Ciao >>> Hannes & Derek >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> -- >>> Ping Identity logo <https://www.pingidentity.com/> >>> Brian Campbell >>> Portfolio Architect >>> @ bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> >>> phone +1 720.317.2061 >>> Connect with us… >>> twitter logo <https://twitter.com/pingidentity> youtube logo >>> <https://www.youtube.com/user/PingIdentityTV> LinkedIn logo >>> <https://www.linkedin.com/company/21870> Facebook logo >>> <https://www.facebook.com/pingidentitypage> Google+ logo >>> <https://plus.google.com/u/0/114266977739397708540> slideshare logo >>> <http://www.slideshare.net/PingIdentity> flipboard logo >>> <http://flip.it/vjBF7> rss feed icon >>> <https://www.pingidentity.com/blogs/> >>> >>> Register for Cloud Identity Summit 2014 | Modern Identity Revolution >>> | 19–23 July, 2014 | Monterey, CA >>> <https://www.cloudidentitysummit.com/> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] OAuth Milestone Update and Rechartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Bill Mills
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… George Fletcher
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anil Saldhana
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Paul Madsen
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Prateek Mishra
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell