Re: [oauth] FW: OAUTH charter for consideration
"Thomas Hardjono" <hardjono@MIT.EDU> Wed, 15 April 2009 13:04 UTC
Return-Path: <hardjono@MIT.EDU>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0C823A6B0A for <oauth@core3.amsl.com>; Wed, 15 Apr 2009 06:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkIse-jvvrzu for <oauth@core3.amsl.com>; Wed, 15 Apr 2009 06:04:27 -0700 (PDT)
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by core3.amsl.com (Postfix) with ESMTP id 787B33A6A8B for <oauth@ietf.org>; Wed, 15 Apr 2009 06:04:27 -0700 (PDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id n3FD5ERJ028616; Wed, 15 Apr 2009 09:05:15 -0400 (EDT)
Received: from thomasvnf1ekrv (dhcp-18-111-63-76.dyn.mit.edu [18.111.63.76]) (authenticated bits=0) (User authenticated as hardjono@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id n3FD5DDP014760 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 15 Apr 2009 09:05:13 -0400 (EDT)
From: Thomas Hardjono <hardjono@MIT.EDU>
To: 'Hannes Tschofenig' <Hannes.Tschofenig@gmx.net>, Adrian.Farrel@huawei.com
References: <010e01c9bd9f$26743710$0201a8c0@nsnintra.net>
In-Reply-To: <010e01c9bd9f$26743710$0201a8c0@nsnintra.net>
Date: Wed, 15 Apr 2009 09:05:14 -0400
Message-ID: <003201c9bdca$d152d580$73f88080$@edu>
X-Mailer: Microsoft Office Outlook 12.0
MIME-Version: 1.0
Thread-Index: Acm65a7RhhoyCCO5TCqyz9HkG7yebQCuGqWQAAsM2dA=
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_002D_01C9BDA9.49769280"
X-Scanned-By: MIMEDefang 2.42
Cc: oauth@ietf.org
Subject: Re: [oauth] FW: OAUTH charter for consideration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 13:04:29 -0000
Hi, I just had a short question/suggestion. In the past every time a new WG is to be proposed or created, the IETF usually insists that the new WG make-use of existing protocols and/or mechanisms, which already exists in the IETF or other Standards organization. (ie. don't re-invent the wheel). Will this mandate also be observed in this new WG? Thanks. /thomas/ > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Hannes Tschofenig > Sent: Wednesday, April 15, 2009 3:53 AM > To: Adrian.Farrel@huawei.com > Cc: oauth@ietf.org > Subject: [oauth] FW: OAUTH charter for consideration > > Hi Adrian, > > thanks for your feedback to the charter. I have addressed most of your > comments in the updated charter text. A few minor comments inline > (search > for [hannes]). > > I will distribute the updated charter text with a subsequent mail. > > Ciao > Hannes > > > > ________________________________ > > From: Lisa Dusseault > [mailto:Lisa.Dusseault@messagingarchitects.com] > > Sent: 11 April, 2009 23:39 > To: Blaine Cook; Hannes Tschofenig > Subject: Fwd: OAUTH charter for consideration > > > FYI > > > Begin forwarded message: > > > From: Adrian Farrel <Adrian.Farrel@huawei.com> > Date: April 10, 2009 1:08:27 PM PDT > To: Lisa Dusseault <Lisa.Dusseault@messagingarchitects.com> > Cc: iesg@ietf.org > Subject: Re: OAUTH charter for consideration > Reply-To: Adrian Farrel <Adrian.Farrel@huawei.com> > > Hi Lisa, > > Nits, but mainly that the third person has become confused. > > > > Description of Working Group: > > > > OAuth allows a user to grant a third-party Web site > or application access to their resources, without necessarily revealing > their credentials, or even their identity. > > > > "their resources" == the user's resources? > "their credentials" == the third party's credentials? > "their identity" == the third party's identity? > > Would be neat to clean that up. > > > > For example, a photo-sharing site that supports > OAuth would allow its users to use a third-party printing Web site to > access their private pictures, without gaining full control of the user > account. > > > > Even in this example... > "thier private pictures" == each user's private pictures? > > > > OAuth consists of: > > > * A mechanism for exchanging a user's credentials > for a token- secret pair which can be used by a third party to access > resources on their behalf. > > > > On the user's behalf or on behalf of the third party? > > > > * A mechanism for signing HTTP requests with the > token-secret pair. > > > > The Working Group will produce one or more documents > suitable for consideration as Proposed Standard that will: > > > * Improve the terminology used. > > > * Embody good security practice, or document gaps > in its capabilities, and propose a path forward for addressing the gap. > > > > s/gap/gaps/ > > > > * Promote interoperability. > > > * Provide guidelines for extensibility. > > > > This specifically means that as a starting point for > the working group OAuth 1.0 (i.e., draft-hammer-oauth-00.txt), which is > a > copy of the original OAuth specification in IETF draft format, is used > and > the available extension points are going to be utilized. In completing > its > work to profile OAuth 1.0 to become OAuth 1.1, the group will strive to > retain backwards compatibility with the OAuth 1.0 specification. > However, > changes that are not backwards compatible might be accepted > > > > s/backwards/backward/ x2 > > > > if the group determines that the changes are > required to meet the group's technical objectives and the group clearly > documents the reasons for making them. > > > > Furthermore, OAuth 1.0 defines three signature > methods used to protect requests, namely PLAINTEXT, HMAC-SHA1, and RSA- > SHA1. > The group will work on new signature methods and will describe the > environments where new security requirements justify their usage. > Existing > signature methods will not be modified but may be dropped as part of > the > > > > s/modified/modified,/ > > > > backwards compatible profiling activity. The > applicability of existing > > > > s/backwards/backward/ > > > > and new signature methods to protocols other than > HTTP will be investigated. > > > > The Working Group should consider: > > > * Implementer experience. > > > * The end-user experience, including > internationalization. > > > * Existing uses of OAuth. > > > * Ability to achieve broad implementation. > > > * Ability to address broader use cases than may be > contemplated by the original authors. > > > > After delivering OAuth 1.1, the Working Group may > consider defining additional functions and/or extensions, for example > (but > not limited > > > to): > > > * Discovery of OAuth configuration, e.g., > http://oauth.net/discovery/1.0 . > > > * Comprehensive message integrity, e.g., > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.htm > l . > > > * Recommendations regarding the structure of the > token. > > > * Localization, e.g., > > > > http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/ > 2/sp > ec.html . > > > * Session-oriented tokens, e.g., > > > > http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > > > > I find it a bit odd to see URLs in the charter like this > given that we don't feel very comfortable with URLs in RFCs. > > > [hannes] We put them in there since folks want to have a few examples of > possible extensions listed. The name of the extension, however, does not > really provide enough useful content and hence we added the pointers. > > > > * Alternate token exchange profiles, e.g., > draft-dehora-farrell- oauth-accesstoken-creds-00. > > > > The work on extensions is within the scope of the > working group charter and requires consensus within the group to add > new > milestones. > > > > s/and/, but/ ??? > > > > The Working Group will also define a generally > applicable HTTP authentication mechanism (i.e., browser-based "2-leg" > scenerio). > > > > s/i.e./e.g./ ??? > > > [hannes] "i.e." is correct here since 2-legged scenario is the > terminology > we are using for this type of exchange. > > > Goals and Milestones: > > > > Apr 2009 Submit 'OAuth: HTTP Authorization > Delegation Protocol' as working group item > > > (draft-hammer-oauth will be used as a > starting point for further work.) > > > Jul 2009 Submit a document as a working group > item providing the functionality of the 2-legged HTTP authentication > mechanism > > > Jul 2009 Start of discussion about OAuth > extensions the group should work on > > > Oct 2009 Start Working Group Last Call on 'OAuth: > HTTP Authorization Delegation Protocol' > > > Nov 2009 Submit 'OAuth: HTTP Authorization > Delegation Protocol' to the IESG for consideration as a Proposed > Standard > > > Nov 2009 Start Working Group Last Call on the > 2-legged HTTP authentication mechanism document > > > Nov 2009 Prepare milestone update to start new > work within the scope of the charter > > > Dec 2009 Submit 2-legged HTTP authentication > mechanism document to the IESG for consideration as a Proposed Standard > > > > Cheers, > Adrian > > > > --- Scanned by M+ Guardian Messaging Firewall --- Messaging > Architects sponsors The Spamhaus Project. > > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [oauth] FW: OAUTH charter for consideration Hannes Tschofenig
- Re: [oauth] FW: OAUTH charter for consideration Thomas Hardjono
- Re: [oauth] FW: OAUTH charter for consideration Tschofenig, Hannes (NSN - FI/Espoo)