Re: [OAUTH-WG] proposed agenda for second interim meeting
"Vrancken Bart bv" <Bart.bv.Vrancken@alcatel-lucent.com> Thu, 04 February 2010 09:39 UTC
Return-Path: <Bart.bv.Vrancken@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E0243A6A93 for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 01:39:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80EL4z-goAxF for <oauth@core3.amsl.com>; Thu, 4 Feb 2010 01:39:34 -0800 (PST)
Received: from smail3.alcatel.fr (smail3.alcatel.fr [64.208.49.56]) by core3.amsl.com (Postfix) with ESMTP id BA9B13A69BB for <oauth@ietf.org>; Thu, 4 Feb 2010 01:39:33 -0800 (PST)
Received: from FRVELSBHS02.ad2.ad.alcatel.com (frvelsbhs02.dc-m.alcatel-lucent.com [155.132.6.74]) by smail3.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id o149dmCD031195; Thu, 4 Feb 2010 10:40:05 +0100
Received: from FRVELSMBS22.ad2.ad.alcatel.com ([155.132.6.53]) by FRVELSBHS02.ad2.ad.alcatel.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Feb 2010 10:39:55 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 04 Feb 2010 10:39:11 +0100
Message-ID: <7A6D4815C5E8F74988784FEBD50F2F1E049723B9@FRVELSMBS22.ad2.ad.alcatel.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2B78@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] proposed agenda for second interim meeting
Thread-Index: Acqk4c0Wgr8hiOUoTAyGjwakt8fvGwADBNDAACPp2aA=
References: <4B69066C.5050809@stpeter.im><90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET><62C93B79-9FF8-4D26-B1A7-7A79C122CC0E@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2B78@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Vrancken Bart bv <Bart.bv.Vrancken@alcatel-lucent.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Dick Hardt <dick.hardt@gmail.com>
X-OriginalArrivalTime: 04 Feb 2010 09:39:55.0792 (UTC) FILETIME=[02620100:01CAA57E]
X-Scanned-By: MIMEDefang 2.64 on 155.132.188.83
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 09:39:35 -0000
Hi folks, In the beginning of December, I posted 2 use cases for multi-level delegation, but I didn't receive a lot of feedback there: http://www.ietf.org/mail-archive/web/oauth/current/msg00807.html Please feel free to provide feedback, now we are discussing about use cases. Best regards, Bart Vrancken -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: woensdag 3 februari 2010 17:41 To: Dick Hardt Cc: OAuth WG Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting Has anyone gathered and reviewed use cases? I haven't seen much of that showing up on the list. From my experience, asking people for use cases rarely works, unless someone is willing to do the work and collect them (and so far I haven't heard from such volunteer). I much prefer the process in which we produce a technical document based on OAuth 1.0 and the new requirements as defined by WRAP, and discuss use cases as a property of the technical attributes of this draft. Of course, you don't have to agree with me, but that puts the burden of producing use cases documentation on you and others interested in taking that approach. We certainly have room for both, and keep in mind that my token draft is not (yet) a working group item. The indication I received from many of the active members of this list is that we have a strong desire to show up at Anaheim with two stable drafts. I think we are very close to getting the authentication piece done following much of OAuth 1.0 functionality (only cleaner and better structures), as well as treating bearer tokens as first class citizens. Given that no one has started a discussion about the delegation flows to include, I doubt we will have a stable second draft, but I plan on getting the authentication piece stable in time. It has also been my experience over the past two years that the biggest challenge is to figure out the authentication piece. The 'go get a token' piece tends to be much easier to agree on. If we get the authentication draft to a stable place, my intention is to leave it there and focus on the second part and come back to it as the delegation requirements become clearer (if changes are needed). But at least it gives us something stable to build upon. EHL > -----Original Message----- > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Wednesday, February 03, 2010 7:02 AM > To: Eran Hammer-Lahav > Cc: Peter Saint-Andre; OAuth WG > Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting > > Hi Eran > > I think it is a little early in our phone discussions to get into technical details. > The next step according to the last call was to gather and review use cases. > Without rough consensus on what problem we are solving, your points > below (which all do need to be discussed at some point) is just moving > around deck chairs on the Titanic. > > -- Dick > > On 2010-02-02, at 11:24 PM, Eran Hammer-Lahav wrote: > > > Please add: > > > > - Discuss Adobe's recent request to allow excluding the host/port from the > signed message. > > > > - With regards to #4, how should the challenge identify the token to be > used (realm comes free, do we need another)? > > > > - Should a single token support multiple signature algorithms? This has > implications as to the information the client has to include with the request > (the algorithm used, etc.). > > > > - Where should the token structure live? OAuth 1.0 includes two response > parameters (token and token_secret). However, since we are now moving > towards having the algorithm part of the token definition, as well as duration > and other attributes, the server will need to provide this information to the > client. This calls for a simple schema (can be any format but need to agree to > consistent names). It is currently part of the authorization/delegation draft > (implicitly), but we should discuss moving it to the authentication draft since > that's where it is used (the authorization draft simply hands those "things" > out). > > > > EHL > > > >> -----Original Message----- > >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > >> Behalf Of Peter Saint-Andre > >> Sent: Tuesday, February 02, 2010 9:15 PM > >> To: OAuth WG > >> Subject: [OAUTH-WG] proposed agenda for second interim meeting > >> > >> <hat type='chair'/> > >> > >> At the first interim meeting, we didn't get through our agenda: > >> > >> http://www.ietf.org/mail-archive/web/oauth/current/msg01013.html > >> > >> Therefore I propose that this time we focus on some unfinished > >> business, starting with the topic of authentication. I have reviewed > >> all of the related threads on the list and have come up with the following > *rough* agenda. > >> Your feedback is welcome to improve this (a.k.a. "agenda > >> bashing") either on the list or during the meeting. > >> > >> For logistics information, see here: > >> > >> http://www.ietf.org/mail-archive/web/oauth/current/msg01085.html > >> > >> ****** > >> > >> AGENDA > >> > >> Base proposal: draft-ietf-oauth-authentication-01 > >> > >> Eran had hoped to push out a new version in time for our meeting, but > >> hasn't been able to get to it yet. However, I think we can continue > >> to move forward with discussion. Feedback is welcome on the general > >> approach, as well as specific open issues. > >> > >> Open issues.... > >> > >> Issue #1: Request Signing vs. API Signing vs. Message Signing > >> http://www.ietf.org/mail-archive/web/oauth/current/msg00961.html > >> > >> 1a. Seeming consensus for message signing. > >> > >> 1b. No consensus yet on message format. > >> - JSON and textual key-value seem to be the leading candidates. > >> > >> 1c. Seeming consensus for multiple/extensible signature algorithms. > >> - HMAC-SHA1 > >> - HMAC-SHA256 > >> - RSASSA-PKCS1-v1.5-SHA256 > >> - PLAIN over SSL/TLS > >> > >> But: which of these are Mandatory-to-Implement? > >> > >> Issue #2: Include the Normalized Request with the Request? > >> http://www.ietf.org/mail-archive/web/oauth/current/msg00962.html > >> > >> Seeming consensus to not include the normalized request (e.g., > >> signature string). > >> > >> Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption? > >> http://www.ietf.org/mail-archive/web/oauth/current/msg00963.html > >> > >> Seeming consensus that channel encryption is must-implement (which > >> does not necessarily mean must-deploy). > >> > >> Issue #4: Authentication Challenges > >> http://www.ietf.org/mail-archive/web/oauth/current/msg01039.html > >> > >> If an authentication (access) request is unacceptable, how does the > >> server tell the client how it can provide proper credentials (e.g., > >> by using a different algorithm)? > >> > >> Possible other topics: > >> > >> - Mutual auth? > >> http://www.ietf.org/mail-archive/web/oauth/current/msg00935.html > >> > >> - Resource authorization? > >> http://www.ietf.org/mail-archive/web/oauth/current/msg01033.html > >> > >> ****** > >> > >> /psa > >> > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] proposed agenda for second interim mee… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Blaine Cook
- [OAUTH-WG] UMA use cases (was Re: proposed agenda… Eve Maler
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Vrancken Bart bv
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] proposed agenda for second interim… Dick Hardt
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Igor Faynberg
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Paul C. Bryan
- Re: [OAUTH-WG] UMA use cases (was Re: proposed ag… Anthony Nadalin
- Re: [OAUTH-WG] proposed agenda for second interim… Eran Hammer-Lahav
- Re: [OAUTH-WG] proposed agenda for second interim… Peter Saint-Andre