IETF Logo Mail Archive

Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 February 2009 23:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A9443A6AF9 for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:40:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ar+TUHIuA3X5 for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 15:40:57 -0800 (PST)
Received: from relay.imagine.ie (relay.imagine.ie [87.232.1.40]) by core3.amsl.com (Postfix) with ESMTP id D6D483A6AFE for <oauth@ietf.org>; Tue, 17 Feb 2009 15:40:56 -0800 (PST)
Received: from mail1.int.imagine.ie (mail1 [87.232.1.152]) by relay.imagine.ie (Postfix) with ESMTP id 5CC4A3222F; Tue, 17 Feb 2009 23:41:07 +0000 (GMT)
Received: from [10.87.48.9] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by mail1.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id n1HNf2Hj009617 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 17 Feb 2009 23:41:04 GMT
Message-ID: <499B4BC0.4050505@cs.tcd.ie>
Date: Tue, 17 Feb 2009 23:44:00 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <009e01c99070$11d33100$0201a8c0@nsnintra.net> <499AE273.1010609@cs.tcd.ie> <00ca01c9913c$1027aa30$0201a8c0@nsnintra.net>
In-Reply-To: <00ca01c9913c$1027aa30$0201a8c0@nsnintra.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0)
X-Canit-Stats-ID: 37399669 - c714820aabfd (trained as not-spam)
X-CanItPRO-Stream: outgoing
X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.52
Cc: oauth@ietf.org
Subject: Re: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 23:40:58 -0000

Sounds good. I'll see if we've the cycles to get a -01 out (and
totally agree that -00 is missing an important applicability
statement - we did however submit -00 in the 10 minutes before
the MSP deadline, hence the omission:-)

As to milestones, yes, I'd prefer that the charter have a
milestone for draft-ietf-oauth-mobile-00 being 3-6 months
after the WGLC on the base spec. But I can buy the idea of
just mentioning the topic and re-doing the milestones after
WGLC on the base spec.

Stephen.

Hannes Tschofenig wrote:
> Hi Stephen, 
> 
> adding the text as an example of possible extensions the group should work
> on is fine for me as we have already listed other possible extensions to the
> charter text. I got the impression that you wanted to have a milestone added
> already, which I believe would be premature given that the main focus of the
> initial work should be spent on the main spec. As I can read from your
> response you are agreeing with me on this issue. 
> 
> I still believe that the document needs to provide much more context about
> the usage scenarios you have in mind and what the implications regarding
> security area. The current version of the document is essentially only
> describing the bare minimum. 
> 
> Can you ship an update for the IETF#74 cutoff date?  
> 
> Ciao
> Hannes
> 
> 
>> Hannes Tschofenig wrote:
>>> Stephen ask me how their document
>>> draft-dehora-farrell-oauth-accesstoken-creds-00.txt is reflected in 
>>> the charter text.
>> Actually, I sent a mail to you and Blaine off list. I guess we 
>> should now discuss it on the list, now that you've gone ahead 
>> here instead of responding to the off list mail.
>>
>> Also I didn't ask how "its reflected" I suggested a way to 
>> include it, which is quite different.
>>
>> My suggestion is to add the following:
>>
>> "The WG will develop an oauth extension suited for use on 
>> challenged devices and by aggregators that allows for the 
>> client to directly acquire an access token from a set of 
>> credentials. One such scheme is defined in 
>> draft-dehora-farrell-oauth-accesstoken-creds"
>>
>> I'd still like to see that included and will certainly suggest 
>> it again in SF, as I did in MSP, and without anyone (that I 
>> recall) disagreeing with considering the use case.
>>
>>> Independent of this particular document, I believe that we should 
>>> focus our initial efforts on the Base OAUTH specification 
>> rather than 
>>> working on extensions.
>> Agreed. I never asked that our use case be worked before the 
>> spec work is done and have no idea how you formed that impression.
>>
>>> As such, I would say that (depending on the progress of the 
>> work with 
>>> the main specification) we should discuss extensions in the summer 
>>> timeframe.
>> I think its fair enough to mention the AFAIK only proposed 
>> extension that's documented as an I-D in the charter. I don't 
>> read your current charter proposal as encompassing our draft 
>> without rechartering.
>>
>>> Regarding this specific extension: I read through 
>>> draft-dehora-farrell-oauth-accesstoken-creds-00.txt and 
>> wanted to make 
>>> sure that I understood the extension correctly. Here is a 
>> message flow 
>>> that Jeff created some time ago. This document suggests to skip the 
>>> message exchanges marked as (2.*). This means that the redirect from 
>>> the Service Provider to the Customer and the subsequent 
>> steps of user 
>>> authentication and authorization are replaced with the ability to 
>>> carry some username/password in the Access token when the Consumer 
>>> sends the request to the Service Provider.
>> Right.
>>
>>> My personal view is that this goes a bit against the OAUTH idea. 
>>> Unless the username/password is again created using some other 
>>> mechanism (which the document does not describe) then there are 
>>> vulnerability that OAUTH was initially meant to deal with.
>> That's sort-of correct, however the point is that its 
>> necessary to deploy OAuth for existing mobile devices and some 
>> aggregation use cases.
>>
>>> Additionally, the result is less likely to be easy to deploy.
>> I think you're 100% wrong there...for the use cases we're 
>> considering. On what basis do you say that? Do you think that 
>> HTTP redirects on mobiles are just fine?
>>
>>> As a justification for the work the following argument is provided: 
>>> "HTTP redirection to a browser is unavailable or unsuitable, such as 
>>> intermediary aggregators and mobile or settop devices." I wonder 
>>> whether this is really a problem in today's mobile devices 
>> to justify this optimization.
>>
>> You can wonder, but it is.
>>
>> Stephen.
>>
> 
>

v2.23.0 | Report a Bug | By Email