IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 02 February 2009 14:33 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 447D828C217; Mon, 2 Feb 2009 06:33:26 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AB5528C21C for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 06:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.344
X-Spam-Level:
X-Spam-Status: No, score=-2.344 tagged_above=-999 required=5 tests=[AWL=0.255, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OykbDfQw75tI for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 06:33:24 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 71DCB28C217 for <oauth@ietf.org>; Mon, 2 Feb 2009 06:33:16 -0800 (PST)
Received: (qmail invoked by alias); 02 Feb 2009 14:32:55 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp023) with SMTP; 02 Feb 2009 15:32:55 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+1AVUoIvC1SfYb1PBQxtExIQwlP/9xxRcbBMrsfN 1QyZNq5e+Uz5xO
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'George Fletcher' <gffletch@aol.com>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net> <4986F954.1090001@aol.com>
Date: Mon, 02 Feb 2009 16:33:41 +0200
Message-ID: <006301c98543$3f1df240$e846a20a@nsnintra.net>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <4986F954.1090001@aol.com>
Thread-Index: AcmFPMXP+fDI6IjpRvyC04itr8TLogABm+aw
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.54
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

Sounds good to me. 

Thanks, George. 
 

>-----Original Message-----
>From: George Fletcher [mailto:gffletch@aol.com] 
>Sent: 02 February, 2009 15:47
>To: Hannes Tschofenig
>Cc: oauth@ietf.org
>Subject: Re: [oauth] OAUTH Charter Proposal
>
>Not wanting to start a huge debate... but within the OAuth 
>community we've made the distinction between Authentication 
>and Authorization, with OAuth being an API Authorization 
>protocol and leaving Authentication out of scope.
>
>Is this charter planning to tackle authentication as well as 
>authorization? The statement...
>> OAuth consist of:
>>   * A mechanism for exchanging a user's credentials for a 
>token-secret 
>> pair
>>   
>has me a little confused.  I would word this as...
>
>* A mechanism that allows a user to authorize API access via a 
>token-secret pair
>
>Thanks,
>George
>
>
>Hannes Tschofenig wrote:
>> Hi all,
>>
>> After a chat with Lisa I got in touch with Eran to slightly 
>revise the 
>> charter text that Sam and Mark put together for the last 
>IETF meeting.
>>
>> It should addresses some of the comments provided during the 
>BOF. Your 
>> feedback is welcome.
>>
>> Ciao
>> Hannes
>>
>> -------------------------------------
>>
>> Open Authentication Protocol (oauth)
>>
>> Last Modified: 2009-01-30
>>
>> Chair(s):
>>
>> TBD
>>
>> Applications Area Director(s):
>>
>> Chris Newman <chris.newman@sun.com>
>> Lisa Dusseault <lisa@osafoundation.org>
>>
>> Applications Area Advisor:
>>
>> TBD
>>
>> Mailing Lists:
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> Description of Working Group:
>>
>> OAuth allows a user to grant a third-party Web site or application 
>> access to their resources, without revealing their credentials, or 
>> even their identity. For example, a photo-sharing site that supports 
>> OAuth would allow its users to use a third-party printing 
>Web site to 
>> access their private pictures, without gaining full control 
>of the user account.
>>
>> OAuth consist of:
>>   * A mechanism for exchanging a user's credentials for a 
>token-secret 
>> pair which can be used by a third party to access resources 
>on their behalf
>>   * A mechanism for signing HTTP requests with the token-secret pair
>>
>> The Working Group will produce one or more documents suitable for 
>> consideration as Proposed Standard, based upon the OAuth 
>I-D, that will:
>>   * Align OAuth with the Internet and Web architectures, best 
>> practices and terminology
>>   * Assure good security practice, or document gaps in its 
>capabilities
>>   * Promote interoperability
>>
>> This specifically means that as a starting point for the 
>working group 
>> the OAuth 1.0 specification is used and the available 
>extension points 
>> are going to be utilized. It seems desireable to profile 
>OAuth 1.0 in 
>> a way that produces a specification that is a backwards compatible 
>> profile, i.e. any OAUTH 1.0 and the specification produced by this 
>> group must support a basic set of features to guarantee 
>> interoperability.
>>
>> Furthermore, Oauth 1.0 defines three signature methods used 
>to protect 
>> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will 
>> work on new signature methods in case the existing mechanisms do not 
>> fulfill the security requirements. Existing signature 
>methods will not 
>> be modified but may be dropped as part of the backwards 
>compatible profiling activity.
>>
>> In doing so, it should consider:
>>   * Implementer experience
>>   * Existing uses of OAuth
>>   * Ability to achieve broad impementation
>>   * Ability to address broader use cases than may be contemplated by 
>> the original authors
>>   * Impact on the Internet and Web
>>
>> The Working Group is not tasked with defining a generally applicable 
>> HTTP Authentication mechanism (i.e., browser-based "2-leg" 
>scenerio), 
>> and should consider this work out of scope in its discussions. 
>> However, if the deliverables are able to be factored in such a way 
>> that this is a byproduct, or such a scenario could be addressed by 
>> additional future work, the Working Group may choose to do so.
>>
>> After delivering OAuth, the Working Group MAY consider defining 
>> additional functions and/or extensions, for example (but not limited 
>> to):
>>   * Discovery of authentication configuration
>>   * Message integrity
>>   * Recommendations regarding the structure of the token
>>
>> Goals and Milestones:
>>
>> 12/2009     Submit document(s) suitable for publication as 
>standards-track
>> RFCs.
>>
>> _______________________________________________
>> oauth mailing list
>> oauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>   
>

_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email