Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

John Bradley <ve7jtb@ve7jtb.com> Wed, 14 May 2014 17:59 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E87F1A0102 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3tLuaBSa_kE for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:59:24 -0700 (PDT)
Received: from mail-ee0-f53.google.com (mail-ee0-f53.google.com [74.125.83.53]) by ietfa.amsl.com (Postfix) with ESMTP id 3463F1A00B2 for <oauth@ietf.org>; Wed, 14 May 2014 10:59:23 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id c13so1596345eek.26 for <oauth@ietf.org>; Wed, 14 May 2014 10:59:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=GhO20WJpndUgaoCOVSl6E3L5Dhh4/rAxLs7VjATSOko=; b=Si0KvBTJUaDEN2WMnGU6vPcgj8TFiNM6LhjCekP1q7buOscT5NnM9o1yrM081t5ktP xlo1Rgo+VWQS+KxectHefpKUU6mXXqeSdBQisTuBCFUDeh13wFsoTJIfgg4UiUlsDE2n BGfN4joofhG4d32+4HK7wPZ/rWYlM4MELOevgdt7rVFsW2YfxysSZw8RUgvtU2ImkM6U yZgaW50Lym5l0XOaJGn0NFD6NH7C//L31sYClg0kaA00jpGcn6l8GURwGLXfG+dYYIWi dr87FGZGcSejFY91ygxiy4rAQEyFFcehO3acg3rFDHW2nsQfTmjoqjevZyy1GypGvtqf Gy3A==
X-Gm-Message-State: ALoCoQl1+HPC7CHFAPoiIZzSOMcmWwdhJRJS7jHdzJXFlNYY8y9Qt15Qo+WBuu/KrgkEnHlIgpJ9
X-Received: by 10.15.49.137 with SMTP id j9mr7477117eew.26.1400090356745; Wed, 14 May 2014 10:59:16 -0700 (PDT)
Received: from [10.105.255.214] (vlan105-gw1.ush2.tnib.de. [86.110.65.1]) by mx.google.com with ESMTPSA id 8sm6689762eea.10.2014.05.14.10.59.14 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 May 2014 10:59:15 -0700 (PDT)
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com>
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-44BF63E5-7387-40AC-9D85-FE30EC8D03B2"; protocol="application/pkcs7-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <60BC637A-FD8D-4C92-A94C-93F89E868CB9@ve7jtb.com>
X-Mailer: iPhone Mail (11D201)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 14 May 2014 19:59:14 +0200
To: Brian Campbell <bcampbell@pingidentity.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YqC7CtcbYFDowiD5zNpYNdUf04w
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 17:59:28 -0000

I know a number of people implementing

> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03

Having it on a RFC track may make sense. 

I remain to be convinced that a4c ads anything other than confusion. 

If the WG wants to take it up it should be aligned with Connect.  I think there are more important things to spend time on. 


Sent from my iPhone

> On May 14, 2014, at 2:24 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> I would object to 'OAuth Authentication' being picked up by the WG as a work item. The starting point draft has expired and it hasn't really been discusses since Berlin nearly a year ago.  As I recall, there was only very limited interest in it even then. I also don't believe it fits well with the WG charter.
> 
> I would suggest the WG consider picking up 'OAuth Symmetric Proof of Possession for Code Extension' for which there is an excellent starting point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a relativity simple security enhancement which addresses problems currently being encountered in deployments of native clients.  
> 
> 
> 
> 
>> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> Hi all,
>> 
>> you might have seen that we pushed the assertion documents and the JWT
>> documents to the IESG today. We have also updated the milestones on the
>> OAuth WG page.
>> 
>> This means that we can plan to pick up new work in the group.
>> We have sent a request to Kathleen to change the milestone for the OAuth
>> security mechanisms to use the proof-of-possession terminology.
>> 
>> We also expect an updated version of the dynamic client registration
>> spec incorporating last call feedback within about 2 weeks.
>> 
>> We would like you to think about adding the following milestones to the
>> charter as part of the re-chartering effort:
>> 
>> -----
>> 
>> Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
>> Proposed Standard
>> Starting point: <draft-richer-oauth-introspection-04>
>> 
>> Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
>> a Proposed Standard
>> Starting point: <draft-hunt-oauth-v2-user-a4c-01>
>> 
>> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
>> Proposed Standard
>> Starting point: <draft-jones-oauth-token-exchange-00>
>> 
>> -----
>> 
>> We also updated the charter text to reflect the current situation. Here
>> is the proposed text:
>> 
>> -----
>> 
>> Charter for Working Group
>> 
>> 
>> The Web Authorization (OAuth) protocol allows a user to grant a
>> third-party Web site or application access to the user's protected
>> resources, without necessarily revealing their long-term credentials,
>> or even their identity. For example, a photo-sharing site that
>> supports OAuth could allow its users to use a third-party printing Web
>> site to print their private pictures, without allowing the printing
>> site to gain full control of the user's account and without having the
>> user share his or her photo-sharing sites' long-term credential with
>> the printing site.
>> 
>> The OAuth 2.0 protocol suite encompasses
>> 
>> * a protocol for obtaining access tokens from an authorization
>> server with the resource owner's consent,
>> * protocols for presenting these access tokens to resource server
>> for access to a protected resource,
>> * guidance for securely using OAuth 2.0,
>> * the ability to revoke access tokens,
>> * standardized format for security tokens encoded in a JSON format
>>   (JSON Web Token, JWT),
>> * ways of using assertions with OAuth, and
>> * a dynamic client registration protocol.
>> 
>> The working group also developed security schemes for presenting
>> authorization tokens to access a protected resource. This led to the
>> publication of the bearer token, as well as work that remains to be
>> completed on proof-of-possession and token exchange.
>> 
>> The ongoing standardization effort within the OAuth working group will
>> focus on enhancing interoperability and functionality of OAuth
>> deployments, such as a standard for a token introspection service and
>> standards for additional security of OAuth requests.
>> 
>> -----
>> 
>> Feedback appreciated.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> -- 
> 	
> Brian Campbell
> Portfolio Architect
> @	bcampbell@pingidentity.com
> 	+1 720.317.2061
> Connect with us…
>        
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth