Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

George Fletcher <gffletch@aol.com> Wed, 14 May 2014 17:23 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD3D1A0127 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sc3NNslpm4qW for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:23:10 -0700 (PDT)
Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD401A013E for <oauth@ietf.org>; Wed, 14 May 2014 10:23:08 -0700 (PDT)
Received: from mtaout-mac02.mx.aol.com (mtaout-mac02.mx.aol.com [172.26.222.206]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id 38D0E70274DFC for <oauth@ietf.org>; Wed, 14 May 2014 13:23:01 -0400 (EDT)
Received: from [10.181.176.188] (unknown [10.181.176.188]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mac02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id E9615380000B2 for <oauth@ietf.org>; Wed, 14 May 2014 13:23:00 -0400 (EDT)
Message-ID: <5373A674.1060700@aol.com>
Date: Wed, 14 May 2014 13:23:00 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <84B60891-F9E1-4183-9031-8BED6315C70F@mit.edu> <-968574624925308911@unknownmsgid>
In-Reply-To: <-968574624925308911@unknownmsgid>
Content-Type: multipart/alternative; boundary="------------070407000600050405060503"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/98021
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1400088181; bh=vo4y7MEjrQ/1sAT50I3uooToR3jhmanw6Vl44Fg7GKU=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=K3ydv2iIyUxM5UkVHdNcjnzqxY3XnOztXzhtb4CViIoCXw3Skq60P1f9+YNASvzmO MLhQQGh+RuyKvijyzBFfLE6FSHlYlswZ7SHUzcFQcTgiDSjtirBmohQxHbAeXp0miA 3jm6bpA7b+qUMWP3PAvqVxLHmKZzochfuZ3qKJVw=
x-aol-sid: 3039ac1adece5373a6745c84
X-AOL-IP: 10.181.176.188
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VyqpQWHZJVsunPawQg_ltCpLjm4
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 17:23:13 -0000

I also would like to see the WG not focus on another authentication 
mechanism and instead look at work like Brian suggested.

Thanks,
George

On 5/14/14, 11:41 AM, Chuck Mortimore wrote:
> Agree with Brian and Justin here.   Work is already covered in Connect
>
> - cmort
>
> On May 14, 2014, at 8:39 AM, Justin Richer <jricher@mit.edu 
> <mailto:jricher@mit.edu>> wrote:
>
>> I agree with Brian and object to the Authentication work item. I 
>> think there’s limited interest and utility in such a draft, 
>> especially now that OpenID Connect has been published and its core 
>> authentication capabilities are identical to what was called for in 
>> the other draft a year ago (a similarity, I’ll add, which was noted 
>> at the time).
>>
>>  — Justin
>>
>> On May 14, 2014, at 8:24 AM, Brian Campbell 
>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>
>>> I would object to 'OAuth Authentication' being picked up by the WG 
>>> as a work item. The starting point draft has expired and it hasn't 
>>> really been discusses since Berlin nearly a year ago.  As I recall, 
>>> there was only very limited interest in it even then. I also don't 
>>> believe it fits well with the WG charter.
>>>
>>> I would suggest the WG consider picking up 'OAuth Symmetric Proof of 
>>> Possession for Code Extension' for which there is an excellent 
>>> starting point of 
>>> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a 
>>> relativity simple security enhancement which addresses problems 
>>> currently being encountered in deployments of native clients.
>>>
>>>
>>>
>>>
>>> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig 
>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>
>>>     Hi all,
>>>
>>>     you might have seen that we pushed the assertion documents and
>>>     the JWT
>>>     documents to the IESG today. We have also updated the milestones
>>>     on the
>>>     OAuth WG page.
>>>
>>>     This means that we can plan to pick up new work in the group.
>>>     We have sent a request to Kathleen to change the milestone for
>>>     the OAuth
>>>     security mechanisms to use the proof-of-possession terminology.
>>>
>>>     We also expect an updated version of the dynamic client registration
>>>     spec incorporating last call feedback within about 2 weeks.
>>>
>>>     We would like you to think about adding the following milestones
>>>     to the
>>>     charter as part of the re-chartering effort:
>>>
>>>     -----
>>>
>>>     Nov 2014 Submit 'Token introspection' to the IESG for
>>>     consideration as a
>>>     Proposed Standard
>>>     Starting point: <draft-richer-oauth-introspection-04>
>>>
>>>     Jan 2015 Submit 'OAuth Authentication' to the IESG for
>>>     consideration as
>>>     a Proposed Standard
>>>     Starting point: <draft-hunt-oauth-v2-user-a4c-01>
>>>
>>>     Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
>>>     Proposed Standard
>>>     Starting point: <draft-jones-oauth-token-exchange-00>
>>>
>>>     -----
>>>
>>>     We also updated the charter text to reflect the current
>>>     situation. Here
>>>     is the proposed text:
>>>
>>>     -----
>>>
>>>     Charter for Working Group
>>>
>>>
>>>     The Web Authorization (OAuth) protocol allows a user to grant a
>>>     third-party Web site or application access to the user's protected
>>>     resources, without necessarily revealing their long-term
>>>     credentials,
>>>     or even their identity. For example, a photo-sharing site that
>>>     supports OAuth could allow its users to use a third-party
>>>     printing Web
>>>     site to print their private pictures, without allowing the printing
>>>     site to gain full control of the user's account and without
>>>     having the
>>>     user share his or her photo-sharing sites' long-term credential with
>>>     the printing site.
>>>
>>>     The OAuth 2.0 protocol suite encompasses
>>>
>>>     * a protocol for obtaining access tokens from an authorization
>>>     server with the resource owner's consent,
>>>     * protocols for presenting these access tokens to resource server
>>>     for access to a protected resource,
>>>     * guidance for securely using OAuth 2.0,
>>>     * the ability to revoke access tokens,
>>>     * standardized format for security tokens encoded in a JSON format
>>>       (JSON Web Token, JWT),
>>>     * ways of using assertions with OAuth, and
>>>     * a dynamic client registration protocol.
>>>
>>>     The working group also developed security schemes for presenting
>>>     authorization tokens to access a protected resource. This led to the
>>>     publication of the bearer token, as well as work that remains to be
>>>     completed on proof-of-possession and token exchange.
>>>
>>>     The ongoing standardization effort within the OAuth working
>>>     group will
>>>     focus on enhancing interoperability and functionality of OAuth
>>>     deployments, such as a standard for a token introspection
>>>     service and
>>>     standards for additional security of OAuth requests.
>>>
>>>     -----
>>>
>>>     Feedback appreciated.
>>>
>>>     Ciao
>>>     Hannes & Derek
>>>
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>> -- 
>>> Ping Identity logo <https://www.pingidentity.com/> 	
>>> Brian Campbell
>>> Portfolio Architect
>>> @ 	bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>
>>> phone 	+1 720.317.2061
>>> Connect with us…
>>> twitter logo <https://twitter.com/pingidentity> youtube logo 
>>> <https://www.youtube.com/user/PingIdentityTV> LinkedIn logo 
>>> <https://www.linkedin.com/company/21870> Facebook logo 
>>> <https://www.facebook.com/pingidentitypage> Google+ logo 
>>> <https://plus.google.com/u/0/114266977739397708540> slideshare logo 
>>> <http://www.slideshare.net/PingIdentity> flipboard logo 
>>> <http://flip.it/vjBF7> rss feed icon 
>>> <https://www.pingidentity.com/blogs/>
>>>
>>> Register for Cloud Identity Summit 2014 | Modern Identity Revolution 
>>> | 19–23 July, 2014 | Monterey, CA 
>>> <https://www.cloudidentitysummit.com/>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
George Fletcher <http://connect.me/gffletch>