Re: [oauth] OAUTH Charter Proposal
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 02 February 2009 14:33 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 447D828C217; Mon, 2 Feb 2009 06:33:26 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AB5528C21C for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 06:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.344
X-Spam-Level:
X-Spam-Status: No, score=-2.344 tagged_above=-999 required=5 tests=[AWL=0.255, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OykbDfQw75tI for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 06:33:24 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 71DCB28C217 for <oauth@ietf.org>; Mon, 2 Feb 2009 06:33:16 -0800 (PST)
Received: (qmail invoked by alias); 02 Feb 2009 14:32:55 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp023) with SMTP; 02 Feb 2009 15:32:55 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+1AVUoIvC1SfYb1PBQxtExIQwlP/9xxRcbBMrsfN 1QyZNq5e+Uz5xO
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'George Fletcher' <gffletch@aol.com>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net> <4986F954.1090001@aol.com>
Date: Mon, 02 Feb 2009 16:33:41 +0200
Message-ID: <006301c98543$3f1df240$e846a20a@nsnintra.net>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <4986F954.1090001@aol.com>
Thread-Index: AcmFPMXP+fDI6IjpRvyC04itr8TLogABm+aw
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.54
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
Sounds good to me. Thanks, George. >-----Original Message----- >From: George Fletcher [mailto:gffletch@aol.com] >Sent: 02 February, 2009 15:47 >To: Hannes Tschofenig >Cc: oauth@ietf.org >Subject: Re: [oauth] OAUTH Charter Proposal > >Not wanting to start a huge debate... but within the OAuth >community we've made the distinction between Authentication >and Authorization, with OAuth being an API Authorization >protocol and leaving Authentication out of scope. > >Is this charter planning to tackle authentication as well as >authorization? The statement... >> OAuth consist of: >> * A mechanism for exchanging a user's credentials for a >token-secret >> pair >> >has me a little confused. I would word this as... > >* A mechanism that allows a user to authorize API access via a >token-secret pair > >Thanks, >George > > >Hannes Tschofenig wrote: >> Hi all, >> >> After a chat with Lisa I got in touch with Eran to slightly >revise the >> charter text that Sam and Mark put together for the last >IETF meeting. >> >> It should addresses some of the comments provided during the >BOF. Your >> feedback is welcome. >> >> Ciao >> Hannes >> >> ------------------------------------- >> >> Open Authentication Protocol (oauth) >> >> Last Modified: 2009-01-30 >> >> Chair(s): >> >> TBD >> >> Applications Area Director(s): >> >> Chris Newman <chris.newman@sun.com> >> Lisa Dusseault <lisa@osafoundation.org> >> >> Applications Area Advisor: >> >> TBD >> >> Mailing Lists: >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> Description of Working Group: >> >> OAuth allows a user to grant a third-party Web site or application >> access to their resources, without revealing their credentials, or >> even their identity. For example, a photo-sharing site that supports >> OAuth would allow its users to use a third-party printing >Web site to >> access their private pictures, without gaining full control >of the user account. >> >> OAuth consist of: >> * A mechanism for exchanging a user's credentials for a >token-secret >> pair which can be used by a third party to access resources >on their behalf >> * A mechanism for signing HTTP requests with the token-secret pair >> >> The Working Group will produce one or more documents suitable for >> consideration as Proposed Standard, based upon the OAuth >I-D, that will: >> * Align OAuth with the Internet and Web architectures, best >> practices and terminology >> * Assure good security practice, or document gaps in its >capabilities >> * Promote interoperability >> >> This specifically means that as a starting point for the >working group >> the OAuth 1.0 specification is used and the available >extension points >> are going to be utilized. It seems desireable to profile >OAuth 1.0 in >> a way that produces a specification that is a backwards compatible >> profile, i.e. any OAUTH 1.0 and the specification produced by this >> group must support a basic set of features to guarantee >> interoperability. >> >> Furthermore, Oauth 1.0 defines three signature methods used >to protect >> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will >> work on new signature methods in case the existing mechanisms do not >> fulfill the security requirements. Existing signature >methods will not >> be modified but may be dropped as part of the backwards >compatible profiling activity. >> >> In doing so, it should consider: >> * Implementer experience >> * Existing uses of OAuth >> * Ability to achieve broad impementation >> * Ability to address broader use cases than may be contemplated by >> the original authors >> * Impact on the Internet and Web >> >> The Working Group is not tasked with defining a generally applicable >> HTTP Authentication mechanism (i.e., browser-based "2-leg" >scenerio), >> and should consider this work out of scope in its discussions. >> However, if the deliverables are able to be factored in such a way >> that this is a byproduct, or such a scenario could be addressed by >> additional future work, the Working Group may choose to do so. >> >> After delivering OAuth, the Working Group MAY consider defining >> additional functions and/or extensions, for example (but not limited >> to): >> * Discovery of authentication configuration >> * Message integrity >> * Recommendations regarding the structure of the token >> >> Goals and Milestones: >> >> 12/2009 Submit document(s) suitable for publication as >standards-track >> RFCs. >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [oauth] OAUTH Charter Proposal James Aylett
- [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Krishna Sankar
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal Chris Messina
- Re: [oauth] OAUTH Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig
- Re: [oauth] OAUTH Charter Proposal Hubert Le Van Gong
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal kellan
- Re: [oauth] OAUTH Charter Proposal John Kemp
- Re: [oauth] OAUTH Charter Proposal Blaine Cook
- Re: [oauth] OAUTH Charter Proposal George Fletcher
- Re: [oauth] OAUTH Charter Proposal Lisa Dusseault
- Re: [oauth] OAUTH Charter Proposal Eran Hammer-Lahav
- Re: [oauth] OAUTH Charter Proposal Hallam-Baker, Phillip
- Re: [oauth] OAUTH Charter Proposal Bill de hOra
- Re: [oauth] OAUTH Charter Proposal Joseph A Holsten
- Re: [oauth] OAUTH Charter Proposal Hannes Tschofenig