[oauth] Another Charter Text Update

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Mon, 23 February 2009 13:09 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id D57623A69A7 for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 05:09:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.599
X-Spam-Status: No, score=-5.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4IAqujPMPrqt for <oauth@core3.amsl.com>; Mon, 23 Feb 2009 05:09:36 -0800 (PST)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net []) by core3.amsl.com (Postfix) with ESMTP id 6C1C73A68AD for <oauth@ietf.org>; Mon, 23 Feb 2009 05:09:32 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([]) by demumfd001.nsn-inter.net ( with ESMTP id n1ND9nVX024178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Mon, 23 Feb 2009 14:09:49 +0100
Received: from demuexc025.nsn-intra.net (demuexc025.nsn-intra.net []) by demuprx017.emea.nsn-intra.net ( with ESMTP id n1ND9mcu013504 for <oauth@ietf.org>; Mon, 23 Feb 2009 14:09:48 +0100
Received: from FIESEXC015.nsn-intra.net ([]) by demuexc025.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 23 Feb 2009 14:09:48 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 23 Feb 2009 15:10:46 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B450112E54B@FIESEXC015.nsn-intra.net>
Thread-Topic: Another Charter Text Update
Thread-Index: AcmVuCOwCiDwflmeRRKT4iAw7lez2g==
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: <oauth@ietf.org>
X-OriginalArrivalTime: 23 Feb 2009 13:09:48.0303 (UTC) FILETIME=[012D31F0:01C995B8]
Subject: [oauth] Another Charter Text Update
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2009 13:09:37 -0000

Only a few more days to provide your comments on the charter text!
The deadline is February 27th.

Open Authentication Protocol (oauth)

Last Modified: 2009-02-23



Applications Area Director(s):

Chris Newman <chris.newman@sun.com>
Lisa Dusseault <lisa@osafoundation.org> 

Applications Area Advisor:


Mailing Lists:


Description of Working Group:

OAuth allows a user to grant a third-party Web site or application
access to their resources, without necessarily revealing their
credentials, or  even their identity. For example, a photo-sharing site
that supports OAuth would allow its users to use a third-party printing
Web site to access  their private pictures, without gaining full control
of the user account.

OAuth consists of:
  * A mechanism for exchanging a user's credentials for a token-secret
pair which can be used by a third party to access resources on their
  * A mechanism for signing HTTP requests with the token-secret pair.

The Working Group will produce one or more documents suitable for
consideration as Proposed Standard, based upon
draft-hammer-oauth-00.txt, that  will:
  * Improve the terminology used.
  * Embody good security practice, or document gaps in its capabilities,
and propose a path forward for addressing the gap.
  * Promote interoperability.
  * Provide guidelines for extensibility.

This specifically means that as a starting point for the working group
OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available
extension  points are going to be utilized. The WG will profile OAuth
1.0 in a way that produces a specification that is a backwards
compatible profile,  i.e. any OAuth 1.0 and the specification produced
by this group must support a basic set of features to guarantee

Furthermore, OAuth 1.0 defines three signature methods used to protect
requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work
on new signature methods and will describe the environments where new
security requirements justify their usage. Existing signature methods
will not be modified but may be dropped as part of the backwards
compatible profiling activity. The applicability of existing and new
signature methods to protocols other than HTTP will be investigated.

The Working Group should consider:
  * Implementer experience.
  * The end-user experience, including internationalization
  * Existing uses of OAuth.
  * Ability to achieve broad impementation.
  * Ability to address broader use cases than may be contemplated by the
original authors.

The Working Group is not tasked with defining a generally applicable
HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio),
and  should consider this work out of scope in its discussions. However,
if the deliverables are able to be factored in such a way that this is a
byproduct, or such a scenario could be addressed by additional future
work, the Working Group may choose to do so.

After delivering OAuth, the Working Group may consider defining
additional functions and/or extensions, for example (but not limited
 * Discovery of OAuth configuration. e.g.,
 * Comprehensive message integrity e.g.,
 * Recommendations regarding the structure of the token.
 * Localization e.g.,
 * Session-oriented tokens e.g.,
 * Alternate token exchange profiles e.g.,

Goals and Milestones:

Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
working group item
            (draft-hammer-oauth will be used as a starting point for
further work.)
Jul 2009    Start of discussion about OAuth extensions the group should
work on
Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
Delegation Protocol'
Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to
the IESG for consideration as a Proposed Standard 
Nov 2009    Prepare milestone update to start new work within the scope
of the charter