Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Bill Mills <> Wed, 14 May 2014 16:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 087D41A00FE for <>; Wed, 14 May 2014 09:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.14
X-Spam-Status: No, score=-2.14 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id adUYlBToN_F7 for <>; Wed, 14 May 2014 09:03:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 91C5E1A00E5 for <>; Wed, 14 May 2014 09:03:10 -0700 (PDT)
Received: from [] by with NNFMP; 14 May 2014 16:03:03 -0000
Received: from [] by with NNFMP; 14 May 2014 16:03:03 -0000
Received: from [] by with NNFMP; 14 May 2014 16:03:03 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 41490 invoked by uid 60001); 14 May 2014 16:03:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1400083383; bh=XVIz2yHoMInDgIYQFz8iXQ/O1N/H4mp1thSJQkOAYY4=; h=References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=eMp2eFUG/ynbrbPQ5oDNtg3fFpln6bMFoGyxJmcJB6XIjp296klTaCGAdVgRuSOZn77RhCvHBuTC40o9IQNvaSRdo/W7O/YtTf+td1DNihXjTK9LONO5AibjZ3kgDvzOGj9mm4bEfnvxkfRe9Dl9XE+ElP2BDiAtCAvHEIIh7Pc=
X-YMail-OSG: yhogDzUVM1k2XrqoZrWFZUdMFN1rwMuiMAK2TBqyGvw6GYm pAf8U0PiZoxAA_zsR6Ja4kx77oL6qSA1W9TkcizSm8wwj8rxeIH1xnYLtiBv wg2K1jDjDiA0SXOp0OwPeXZdv3TfLuGE3iykoxUn4lRElZtUxizKZzuJ0krV JU8iRm.RfP70JvXRs1jbuI6hqXnCgLg5OHumPlPQOUcM4hWIdXftW14Im7q_ v0QlmhOYRNgIawpXB9Ag7SM9b_G81WVKhgegOkD4G6rEdt98FlU06f_aBB2b CY7zC1gDc0q4x9t.SG1ldRUSmXPyQiZXIdgPsUHdcX8oh9IEqgTw0yHbRi9L jBslFpJbYhk7HQ34adf_Z2lF4_2Y4wQGTolRE76YJxUZXBdaL5Sidae6lzmX eg1PIGnTH2lRjWmwN93l_4pjh10nVzX_XGG7PkWynJ9vTCGCGJCt9OjPec64 aLSXdVVf63QARSv5gjY4_6qwnU_hBt3SHUPKljMyparsYmg5ykxNzinfm.oO mN1FT5Um7Mfr5_AS9jklRUNQSpEl0uCAKeGumuuIKShXl10YVarWdlZeS90J YKHVM8bQ3m3dMB8s3aKINtI9DSshCWd0E6ZPfVitxJrG0HqdYo1O2_ablhBQ .tec1fSYifrFvL.zdar_2vURQQFevHiSHiFpHScijSBpqe_UWqe2NSJKXiD. PBPIbOy2LxTB53RcfICMHRy1j_p192.lsG76P6SbG.n0yK.1S.8l559v_Xqr 1HJKCExNOgpsik15eSYeHekRUnZHIxgYAPwqcyXVTi_NZaJDt5ds5ojap.MM 6G.i6hs_OPS6B2AlOI28dqxPARYb5_7V9b8igivcnG_nYcKKTa2A41YGU.Tj rRREN1tgGWwfZUpdIUtr0sH0_j1IBaqEfD0q9aMr.kaH1LyJrfwVaaFLAwcZ c9ywXPF4m8MObtOZ8P3tHWKgjgfq3ru4V3moOzCTZ4an8T0VLaI6GGtthgm. vAVGj_9uQ6bBgBhvKTo6C2aWBNdTjZaI28nSprLKDiD9TqXpEM9YjLXlJ20A BT6DKlEUPQbD8StSYwn5t7CF9KlgZpywlL.C4cOcOpVPxgz1MZ_KTiA2pEBS uPOAsKz4JKGNH6Y1Cvqne2S_eSgUPyK3x1tOYEM3KGYv74tPR7VI2pF.9etb CEDSEliWO3VrSiKfGM_uJBmRsC9ESlw0lhreCVgy9kAsvtVmLlXmI8ioYCC1 xcD0-
Received: from [] by via HTTP; Wed, 14 May 2014 09:03:03 PDT
X-Rocket-MIMEInfo: 002.001, SSB0aGluayB0aGVyZSdzIGEgdXNlIGNhc2UgZm9yIHRoaXMgd29yayB0aGF0IG1heSBvciBtYXkgbm90IGJlIGNvdmVyZWQgYnkgdGhlIFBvUCBzcGVjLCBhbmQgaW4gZmFjdCBJIHRoaW5rIHRoaXMgd29yayBpcyByZWxhdGVkIHRvIHRoYXQuIMKgVGhlIE1BQyB0b2tlbiB3b3JrIGlzIHJlYWxseSBvbmUgdXNlIGNhc2Ugb2YgUE9QIHRva2Vucy4gwqBSYXRoZXIgdGhhbiBzaG91dGluZyBpdCBkb3duIGxldCdzIGZpZ3VyZSBvdXQgaG93IHRvIHNvbHZlIHRoaXMgdXNlIGNhc2UuCgoKT24gV2VkbmVzZGF5LCABMAEBAQE-
X-Mailer: YahooMailWebService/
References: <> <> <>
Message-ID: <>
Date: Wed, 14 May 2014 09:03:03 -0700
From: Bill Mills <>
To: Justin Richer <jricher@MIT.EDU>, Brian Campbell <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1397251415-228175191-1400083383=:78490"
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 May 2014 16:03:13 -0000

I think there's a use case for this work that may or may not be covered by the PoP spec, and in fact I think this work is related to that.  The MAC token work is really one use case of POP tokens.  Rather than shouting it down let's figure out how to solve this use case.

On Wednesday, May 14, 2014 8:39 AM, Justin Richer <jricher@MIT.EDU> wrote:
I agree with Brian and object to the Authentication work item. I think there’s limited interest and utility in such a draft, especially now that OpenID Connect has been published and its core authentication capabilities are identical to what was called for in the other draft a year ago (a similarity, I’ll add, which was noted at the time). 

 — Justin

On May 14, 2014, at 8:24 AM, Brian Campbell <> wrote:

I would object to 'OAuth Authentication' being picked up by the WG as a work item. The starting point draft has expired and it hasn't really been discusses since Berlin nearly a year ago.  As I recall, there was only very limited interest in it even then. I also don't believe it fits well with the WG charter.

I would suggest the WG consider picking up 'OAuth Symmetric Proof of
 Possession for Code Extension' for which there is an excellent starting
 point of - it's a relativity simple security enhancement which addresses problems currently being encountered in deployments of native clients.  

On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <> wrote:

Hi all,
>you might have seen that we pushed the assertion documents and the JWT
>documents to the IESG today. We have also updated the milestones on the
>OAuth WG page.
>This means that we can plan to pick up new work in the group.
>We have sent a request to Kathleen to change the milestone for the OAuth
>security mechanisms to use the proof-of-possession terminology.
>We also expect an updated version of the dynamic client registration
>spec incorporating last call feedback within about 2 weeks.
>We would like you to think about adding the following milestones to the
>charter as part of the re-chartering effort:
>Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
>Proposed Standard
>Starting point: <draft-richer-oauth-introspection-04>
>Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
>a Proposed Standard
>Starting point: <draft-hunt-oauth-v2-user-a4c-01>
>Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
>Proposed Standard
>Starting point: <draft-jones-oauth-token-exchange-00>
>We also updated the charter text to reflect the current situation. Here
>is the proposed text:
>Charter for Working Group
>The Web Authorization (OAuth) protocol allows a user to grant a
>third-party Web site or application access to the user's protected
>resources, without necessarily revealing their long-term credentials,
>or even their identity. For example, a photo-sharing site that
>supports OAuth could allow its users to use a third-party printing Web
>site to print their private pictures, without allowing the printing
>site to gain full control of the user's account and without having the
>user share his or her photo-sharing sites' long-term credential with
>the printing site.
>The OAuth 2.0 protocol suite encompasses
>* a protocol for obtaining access tokens from an authorization
>server with the resource owner's consent,
>* protocols for presenting these access tokens to resource server
>for access to a protected resource,
>* guidance for securely using OAuth 2.0,
>* the ability to revoke access tokens,
>* standardized format for security tokens encoded in a JSON format
>  (JSON Web Token, JWT),
>* ways of using assertions with OAuth, and
>* a dynamic client registration protocol.
>The working group also developed security schemes for presenting
>authorization tokens to access a protected resource. This led to the
>publication of the bearer token, as well as work that remains to be
>completed on proof-of-possession and token exchange.
>The ongoing standardization effort within the OAuth working group will
>focus on enhancing interoperability and functionality of OAuth
>deployments, such as a standard for a token introspection service and
>standards for additional security of OAuth requests.
>Feedback appreciated.
>Hannes & Derek
>OAuth mailing list


 Brian Campbell
Portfolio Architect
 +1 720.317.2061 
Connect with us…           

OAuth mailing list

OAuth mailing list