Re: [oauth] OAUTH Charter Proposal
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Mon, 02 February 2009 08:37 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CA983A6935; Mon, 2 Feb 2009 00:37:24 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 485803A6927 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 00:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.375
X-Spam-Level:
X-Spam-Status: No, score=-3.375 tagged_above=-999 required=5 tests=[AWL=-1.254, BAYES_00=-2.599, WHOIS_DMNBYPROXY=0.478]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1ukDesoVjvZ for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 00:37:22 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [217.115.75.234]) by core3.amsl.com (Postfix) with ESMTP id E789F3A6816 for <oauth@ietf.org>; Mon, 2 Feb 2009 00:37:21 -0800 (PST)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n128axB9018882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 2 Feb 2009 09:36:59 +0100
Received: from demuexc025.nsn-intra.net (demuexc025.nsn-intra.net [10.159.32.12]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n128axNX020861; Mon, 2 Feb 2009 09:36:59 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc025.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 2 Feb 2009 09:36:59 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 02 Feb 2009 10:37:44 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B45FFEFDE@FIESEXC015.nsn-intra.net>
In-Reply-To: <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [oauth] OAUTH Charter Proposal
Thread-Index: AcmFD6dr5d66USasRc2MM/+CQiYoOwAAKExQ
References: <3D3C75174CB95F42AD6BCC56E5555B45FFEE62@FIESEXC015.nsn-intra.net> <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Chris Messina <chris.messina@gmail.com>
X-OriginalArrivalTime: 02 Feb 2009 08:36:59.0400 (UTC) FILETIME=[69E01080:01C98511]
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
What about the following text: " Furthermore, OAuth 1.0 defines three signature methods used to protect requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on new signature methods and will describe the environments where additional security requirements justify their usage. Existing signature methods will not be modified but may be dropped as part of the backwards compatible profiling activity. " Ciao Hannes PS: There are lots of people out there who have a strong opinion about different algorithms and usage modes. I wouldn't be surprised to spend some time discussing different algorithms. ________________________________ From: ext Chris Messina [mailto:chris.messina@gmail.com] Sent: 02 February, 2009 10:24 To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: oauth@ietf.org Subject: Re: [oauth] OAUTH Charter Proposal On Sun, Feb 1, 2009 at 11:00 PM, Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com> wrote: Second, w/r/t to this: Furthermore, Oauth 1.0 defines three signature methods used to protect requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on new signature methods in case the existing mechanisms do not fulfill the security requirements. Where are the "security requirements" coming from? Are these defined separately? Whose are they? [hannes] I think a pragmatic approach is sensible here: a document that describes a new mechanism might want to say what requirements guided the solution and thereby provide some motivation. I was not thinking of an independent requirements document. I don't think that it is well spent time. I agree. Maybe it was just the wording -- it sounded like there were some definitive "security requirements" (or else you wouldn't be able to tell if they were fulfilled!) but perhaps that's not what's intended there. I think I understand now: if you propose new security methods or signing mechanisms, the document will describe why to use them in situations with different security requirements. Ok. Thanks, Chris -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [oauth] OAUTH Charter Proposal James Aylett
- [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal kellan
- Re: [oauth] OAUTH Charter Proposal John Kemp
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Lisa Dusseault
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Hallam-Baker, Phillip
- Re: [oauth] OAUTH Charter Proposal Bill de hOra
- Re: [oauth] OAUTH Charter Proposal Joseph A Holsten
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig