IETF Logo Mail Archive

Re: [OAUTH-WG] proposed agenda for second interim meeting

Dick Hardt <dick.hardt@gmail.com> Wed, 03 February 2010 15:01 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60C663A6AFD for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 07:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZK-yjKYgSEX for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 07:01:14 -0800 (PST)
Received: from mail-pz0-f179.google.com (mail-pz0-f179.google.com [209.85.222.179]) by core3.amsl.com (Postfix) with ESMTP id 74BC73A6A15 for <oauth@ietf.org>; Wed, 3 Feb 2010 07:01:10 -0800 (PST)
Received: by pzk9 with SMTP id 9so1636668pzk.31 for <oauth@ietf.org>; Wed, 03 Feb 2010 07:01:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=KQZ8j2moL6V6eLHfgyyRmY8ziNuFH8uYUl9duEEOYoE=; b=YSjO38a6hNgqbTM/lzfhQEMVGIZU1VoGgbIbNnp7s2MQPwAq6Xm63C2HaoqrsDEGtP ZhUobrT75E55ZWF4nu0TpaZG5mbbN4tb9IYQ4Ec6ZOqgqFUXBmC8bwe+q3FI0B5DsAmw SlcsiI2TLWBgNgxyK1F/FsQAcPibAlI9wD2mA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=ru+tGDg2Vg6R3w+NiX5H7UaTQPoBcleMBIJODPsZbUPUpcsbSt2Je8J8AnfvejNECR 8P0IFFwwN6xvmgSs74u+GQKvbU1RBXOt+TRyVL6Ap7BOPxKMH4XwtGeapgwwQTNkdk0x dDR9uBE+8A9bDSCfWoGmENcAnB7aacjkqBgpI=
Received: by 10.141.14.15 with SMTP id r15mr5284036rvi.29.1265209310422; Wed, 03 Feb 2010 07:01:50 -0800 (PST)
Received: from ?192.168.1.236? (c-24-17-212-68.hsd1.wa.comcast.net [24.17.212.68]) by mx.google.com with ESMTPS id 23sm6495522pzk.8.2010.02.03.07.01.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 03 Feb 2010 07:01:49 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 03 Feb 2010 07:01:48 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <62C93B79-9FF8-4D26-B1A7-7A79C122CC0E@gmail.com>
References: <4B69066C.5050809@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 15:01:15 -0000

Hi Eran

I think it is a little early in our phone discussions to get into technical details. The next step according to the last call was to gather and review use cases. Without rough consensus on what problem we are solving, your points below (which all do need to be discussed at some point) is just moving around deck chairs on the Titanic.

-- Dick

On 2010-02-02, at 11:24 PM, Eran Hammer-Lahav wrote:

> Please add:
> 
> - Discuss Adobe's recent request to allow excluding the host/port from the signed message.
> 
> - With regards to #4, how should the challenge identify the token to be used (realm comes free, do we need another)?
> 
> - Should a single token support multiple signature algorithms? This has implications as to the information the client has to include with the request (the algorithm used, etc.).
> 
> - Where should the token structure live? OAuth 1.0 includes two response parameters (token and token_secret). However, since we are now moving towards having the algorithm part of the token definition, as well as duration and other attributes, the server will need to provide this information to the client. This calls for a simple schema (can be any format but need to agree to consistent names). It is currently part of the authorization/delegation draft (implicitly), but we should discuss moving it to the authentication draft since that's where it is used (the authorization draft simply hands those "things" out).
> 
> EHL
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Peter Saint-Andre
>> Sent: Tuesday, February 02, 2010 9:15 PM
>> To: OAuth WG
>> Subject: [OAUTH-WG] proposed agenda for second interim meeting
>> 
>> <hat type='chair'/>
>> 
>> At the first interim meeting, we didn't get through our agenda:
>> 
>> http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html
>> 
>> Therefore I propose that this time we focus on some unfinished business,
>> starting with the topic of authentication. I have reviewed all of the related
>> threads on the list and have come up with the following *rough* agenda.
>> Your feedback is welcome to improve this (a.k.a. "agenda
>> bashing") either on the list or during the meeting.
>> 
>> For logistics information, see here:
>> 
>> http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html
>> 
>> ******
>> 
>> AGENDA
>> 
>> Base proposal: draft-ietf-oauth-authentication-01
>> 
>> Eran had hoped to push out a new version in time for our meeting, but hasn't
>> been able to get to it yet. However, I think we can continue to move forward
>> with discussion. Feedback is welcome on the general approach, as well as
>> specific open issues.
>> 
>> Open issues....
>> 
>> Issue #1: Request Signing vs. API Signing vs. Message Signing
>> http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html
>> 
>> 1a. Seeming consensus for message signing.
>> 
>> 1b. No consensus yet on message format.
>>    - JSON and textual key-value seem to be the leading candidates.
>> 
>> 1c. Seeming consensus for multiple/extensible signature algorithms.
>>    - HMAC-SHA1
>>    - HMAC-SHA256
>>    - RSASSA-PKCS1-v1.5-SHA256
>>    - PLAIN over SSL/TLS
>> 
>> But: which of these are Mandatory-to-Implement?
>> 
>> Issue #2: Include the Normalized Request with the Request?
>> http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html
>> 
>> Seeming consensus to not include the normalized request (e.g., signature
>> string).
>> 
>> Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption?
>> http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html
>> 
>> Seeming consensus that channel encryption is must-implement (which does
>> not necessarily mean must-deploy).
>> 
>> Issue #4: Authentication Challenges
>> http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html
>> 
>> If an authentication (access) request is unacceptable, how does the server
>> tell the client how it can provide proper credentials (e.g., by using a different
>> algorithm)?
>> 
>> Possible other topics:
>> 
>> - Mutual auth?
>>  http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html
>> 
>> - Resource authorization?
>>  http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html
>> 
>> ******
>> 
>> /psa
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email