IETF Logo Mail Archive

Re: [oauth] Updated Charter Text

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 18 February 2009 11:07 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 466E628C1F0 for <oauth@core3.amsl.com>; Wed, 18 Feb 2009 03:07:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3Py1gblhcgG for <oauth@core3.amsl.com>; Wed, 18 Feb 2009 03:07:15 -0800 (PST)
Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id 0F83B28C1DE for <oauth@ietf.org>; Wed, 18 Feb 2009 03:07:14 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id 6E0471003F4C7; Wed, 18 Feb 2009 11:07:25 +0000 (GMT)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-R4UQHVKxei; Wed, 18 Feb 2009 11:07:24 +0000 (GMT)
Received: from [192.168.3.55] (unknown [192.168.3.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.newbay.com (Postfix) with ESMTP id 5274510040740; Wed, 18 Feb 2009 11:07:22 +0000 (GMT)
Message-ID: <499BEC9E.10704@cs.tcd.ie>
Date: Wed, 18 Feb 2009 11:10:22 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <3D3C75174CB95F42AD6BCC56E5555B4501102F3B@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4501102F3B@FIESEXC015.nsn-intra.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [oauth] Updated Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2009 11:07:16 -0000

Hate to keep banging the same drum, but I don't see how the
mobile use case is included there, so I'd still suggest the
addition below. (Other than that this charter is fine by me.)

While I would like there to be a milestone associated with
that, I'm ok if that's done later, so haven't suggested one.
(If asked, I'd go for WGLC on a mobile draft 3-6 months after
the WGLC starts on the base spec.)

Stephen.

Tschofenig, Hannes (NSN - FI/Espoo) wrote:
> Based on the feedback I have compiled another version of the charter
> text.  
> 
> ------------------------------------------
> 
> Open Authentication Protocol (oauth)
> 
> Last Modified: 2009-01-30
> 
> Chair(s):
> 
> TBD
> 
> Applications Area Director(s):
> 
> Chris Newman <chris.newman@sun.com>
> Lisa Dusseault <lisa@osafoundation.org> 
> 
> Applications Area Advisor:
> 
> TBD
> 
> Mailing Lists:
> 
> https://www.ietf.org/mailman/listinfo/oauth
> 
> Description of Working Group:
> 
> OAuth allows a user to grant a third-party Web site or application
> access to their resources, without necessarily revealing their
> credentials, or  even their identity. For example, a photo-sharing site
> that supports OAuth would allow its users to use a third-party printing
> Web site to access  their private pictures, without gaining full control
> of the user account.
> 
> OAuth consists of:
>   * A mechanism for exchanging a user's credentials for a token-secret
> pair which can be used by a third party to access resources on their
> behalf.
>   * A mechanism for signing HTTP requests with the token-secret pair.
> 
> The Working Group will produce one or more documents suitable for
> consideration as Proposed Standard, based upon
> draft-hammer-oauth-00.txt, that  will:
>   * Improve the terminology used.
>   * Embody good security practice, or document gaps in its capabilities,
> and propose a path forward for addressing the gap.
>   * Promote interoperability.
>   * Provide guidelines for extensibility.
> 
> This specifically means that as a starting point for the working group
> OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available
> extension  points are going to be utilized. The WG will profile OAuth
> 1.0 in a way that produces a specification that is a backwards
> compatible profile,  i.e. any OAuth 1.0 and the specification produced
> by this group must support a basic set of features to guarantee
> interoperability. 
> 
> Furthermore, OAuth 1.0 defines three signature methods used to protect
> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work
> on new signature methods and will describe the environments where new
> security requirements justify their usage. Existing signature methods
> will not be modified but may be dropped as part of the backwards
> compatible profiling activity. The applicability of existing and new
> signature methods to protocols other than HTTP will be investigated.
> 
> The Working Group should consider:
>   * Implementer experience.
>   * The end-user experience, including internationalization
>   * Existing uses of OAuth.
>   * Ability to achieve broad impementation.
>   * Ability to address broader use cases than may be contemplated by the
> original authors.
> 
> The Working Group is not tasked with defining a generally applicable
> HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio),
> and  should consider this work out of scope in its discussions. However,
> if the deliverables are able to be factored in such a way that this is a
> byproduct, or such a scenario could be addressed by additional future
> work, the Working Group may choose to do so.

After delivering OAuth, the WG will, if necessary, develop an oauth
extension suited for use on challenged devices and by aggregators that
allows for the client to directly acquire an access token from a set of
credentials. One such scheme is defined in
draft-dehora-farrell-oauth-accesstoken-creds.


> After delivering OAuth, the Working Group may consider defining
> additional functions and/or extensions, for example (but not limited
> to):
>   * Discovery of OAuth configuration.
>   * Comprehensive message integrity.
>   * Recommendations regarding the structure of the token.
>   * Localization.
>   * Session-oriented tokens.
>   * Alternate token exchange profiles.
>
> Goals and Milestones:
> 
> Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
> working group item
>             (draft-hammer-oauth will be used as a starting point for
> further work.)
> Jul 2009    Start of discussion about OAuth extensions the group should
> work on
> Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
> Delegation Protocol'
> Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to
> the IESG for consideration as a Proposed Standard 
> Nov 2009    Prepare milestone update to start new work within the scope
> of the charter
> 
> 
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email