Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 February 2009 23:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A9443A6AF9 for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:40:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ar+TUHIuA3X5 for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:40:57 -0800 (PST)
Received: from relay.imagine.ie (relay.imagine.ie [87.232.1.40]) by core3.amsl.com (Postfix) with ESMTP id D6D483A6AFE for <oauth@ietf.org>; Tue, 17 Feb 2009 15:40:56 -0800 (PST)
Received: from mail1.int.imagine.ie (mail1 [87.232.1.152]) by relay.imagine.ie (Postfix) with ESMTP id 5CC4A3222F; Tue, 17 Feb 2009 23:41:07 +0000 (GMT)
Received: from [10.87.48.9] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by mail1.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id n1HNf2Hj009617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Feb 2009 23:41:04 GMT
Message-ID: <499B4BC0.4050505@cs.tcd.ie>
Date: Tue, 17 Feb 2009 23:44:00 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <009e01c99070$11d33100$0201a8c0@nsnintra.net> <499AE273.1010609@cs.tcd.ie> <00ca01c9913c$1027aa30$0201a8c0@nsnintra.net>
In-Reply-To: <00ca01c9913c$1027aa30$0201a8c0@nsnintra.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0)
X-Canit-Stats-ID: 37399669 - c714820aabfd (trained as not-spam)
X-CanItPRO-Stream: outgoing
X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.52
Cc: oauth@ietf.org
Subject: Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 23:40:58 -0000
Sounds good. I'll see if we've the cycles to get a -01 out (and totally agree that -00 is missing an important applicability statement - we did however submit -00 in the 10 minutes before the MSP deadline, hence the omission:-) As to milestones, yes, I'd prefer that the charter have a milestone for draft-ietf-oauth-mobile-00 being 3-6 months after the WGLC on the base spec. But I can buy the idea of just mentioning the topic and re-doing the milestones after WGLC on the base spec. Stephen. Hannes Tschofenig wrote: > Hi Stephen, > > adding the text as an example of possible extensions the group should work > on is fine for me as we have already listed other possible extensions to the > charter text. I got the impression that you wanted to have a milestone added > already, which I believe would be premature given that the main focus of the > initial work should be spent on the main spec. As I can read from your > response you are agreeing with me on this issue. > > I still believe that the document needs to provide much more context about > the usage scenarios you have in mind and what the implications regarding > security area. The current version of the document is essentially only > describing the bare minimum. > > Can you ship an update for the IETF#74 cutoff date? > > Ciao > Hannes > > >> Hannes Tschofenig wrote: >>> Stephen ask me how their document >>> draft-dehora-farrell-oauth-accesstoken-creds-00.txt is reflected in >>> the charter text. >> Actually, I sent a mail to you and Blaine off list. I guess we >> should now discuss it on the list, now that you've gone ahead >> here instead of responding to the off list mail. >> >> Also I didn't ask how "its reflected" I suggested a way to >> include it, which is quite different. >> >> My suggestion is to add the following: >> >> "The WG will develop an oauth extension suited for use on >> challenged devices and by aggregators that allows for the >> client to directly acquire an access token from a set of >> credentials. One such scheme is defined in >> draft-dehora-farrell-oauth-accesstoken-creds" >> >> I'd still like to see that included and will certainly suggest >> it again in SF, as I did in MSP, and without anyone (that I >> recall) disagreeing with considering the use case. >> >>> Independent of this particular document, I believe that we should >>> focus our initial efforts on the Base OAUTH specification >> rather than >>> working on extensions. >> Agreed. I never asked that our use case be worked before the >> spec work is done and have no idea how you formed that impression. >> >>> As such, I would say that (depending on the progress of the >> work with >>> the main specification) we should discuss extensions in the summer >>> timeframe. >> I think its fair enough to mention the AFAIK only proposed >> extension that's documented as an I-D in the charter. I don't >> read your current charter proposal as encompassing our draft >> without rechartering. >> >>> Regarding this specific extension: I read through >>> draft-dehora-farrell-oauth-accesstoken-creds-00.txt and >> wanted to make >>> sure that I understood the extension correctly. Here is a >> message flow >>> that Jeff created some time ago. This document suggests to skip the >>> message exchanges marked as (2.*). This means that the redirect from >>> the Service Provider to the Customer and the subsequent >> steps of user >>> authentication and authorization are replaced with the ability to >>> carry some username/password in the Access token when the Consumer >>> sends the request to the Service Provider. >> Right. >> >>> My personal view is that this goes a bit against the OAUTH idea. >>> Unless the username/password is again created using some other >>> mechanism (which the document does not describe) then there are >>> vulnerability that OAUTH was initially meant to deal with. >> That's sort-of correct, however the point is that its >> necessary to deploy OAuth for existing mobile devices and some >> aggregation use cases. >> >>> Additionally, the result is less likely to be easy to deploy. >> I think you're 100% wrong there...for the use cases we're >> considering. On what basis do you say that? Do you think that >> HTTP redirects on mobiles are just fine? >> >>> As a justification for the work the following argument is provided: >>> "HTTP redirection to a browser is unavailable or unsuitable, such as >>> intermediary aggregators and mobile or settop devices." I wonder >>> whether this is really a problem in today's mobile devices >> to justify this optimization. >> >> You can wonder, but it is. >> >> Stephen. >> > >
- [oauth] draft-dehora-farrell-oauth-accesstoken-cr… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Dorothy.Gellert
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell