Re: [oauth] Last Call for Comments: OAuth Charter Text
George Fletcher <gffletch@aol.com> Tue, 17 February 2009 17:46 UTC
Return-Path: <GFFletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 666FE3A693C for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 09:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsOxyGrbk+9c for <oauth@core3.amsl.com>; Tue, 17 Feb 2009 09:46:47 -0800 (PST)
Received: from imo-d05.mx.aol.com (imo-d05.mx.aol.com [205.188.157.37]) by core3.amsl.com (Postfix) with ESMTP id 09C563A69C7 for <oauth@ietf.org>; Tue, 17 Feb 2009 09:46:46 -0800 (PST)
Received: from GFFletch@aol.com by imo-d05.mx.aol.com (mail_out_v39.1.) id 7.cc7.4c451a72 (37180); Tue, 17 Feb 2009 12:46:22 -0500 (EST)
Received: from palantir.local ([10.181.74.97]) by cia-ma05.mx.aol.com (v123.3) with ESMTP id MAILCIAMA053-913c499af7e3394; Tue, 17 Feb 2009 12:46:11 -0500
Message-ID: <499AF7E3.7040007@aol.com>
Date: Tue, 17 Feb 2009 12:46:11 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <3D3C75174CB95F42AD6BCC56E5555B45010DB8F0@FIESEXC015.nsn-intra.net> <499AF139.3020706@aol.com> <90C41DD21FB7C64BB94121FBBC2E7234127C939E62@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234127C939E62@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AOL-IP: 10.181.74.97
X-Mailer: Unknown (No Version)
Cc: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] Last Call for Comments: OAuth Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 17:46:48 -0000
So what is the plan for existing extensions written against OAuth 1.0 core? Will they be supported? or will they need to be re-written? Should the charter take into consideration the extensions that are already deployed? (e.g. Scalable OAuth?) Thanks, George Eran Hammer-Lahav wrote: > No. 'extension points' mean the spec allowing new signature methods, parameter methods, etc. The ways in which the spec allows it to be extended. Not extension proposals. > > EHL > > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of George Fletcher >> Sent: Tuesday, February 17, 2009 9:18 AM >> To: Tschofenig, Hannes (NSN - FI/Espoo) >> Cc: oauth@ietf.org >> Subject: Re: [oauth] Last Call for Comments: OAuth Charter Text >> >> Just to clarify... does the following quote from the charter... >> >> "This specifically means that as a starting point for the working group >> the OAuth 1.0 specification is used and the available extension points >> are going to be utilized." >> >> .... mean that all extensions either checked in at oauth.pbwiki.com, >> the >> svn repository, or the >> draft-dehora-farrell-oauth-accesstoken-creds-00.txt that Stephen >> mentions will all be considered? >> >> Or will only certain extensions be considered for inclusion into the >> 1.0 >> version? >> >> Thanks, >> George >> >> Tschofenig, Hannes (NSN - FI/Espoo) wrote: >> >>> Hi all, >>> >>> we have now discussed the charter text for some time and we got good >>> feedback. I have tried to reflect it in an appropriate way. >>> >>> I think it is about time to finish this part of the story. Please >>> >> review >> >>> the current charter text and make a judgement whether we can move >>> forward with it. >>> >>> Ciao >>> Hannes >>> >>> --------------------------------------------------------------------- >>> >> --- >> >>> ------------- >>> >>> Open Authentication Protocol (oauth) >>> >>> Last Modified: 2009-01-30 >>> >>> Chair(s): >>> >>> TBD >>> >>> Applications Area Director(s): >>> >>> Chris Newman <chris.newman@sun.com> >>> Lisa Dusseault <lisa@osafoundation.org> >>> >>> Applications Area Advisor: >>> >>> TBD >>> >>> Mailing Lists: >>> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> Description of Working Group: >>> >>> OAuth allows a user to grant a third-party Web site or application >>> access to their resources, without revealing their credentials, or >>> >> even >> >>> their identity. For example, a photo-sharing site that supports OAuth >>> would allow its users to use a third-party printing Web site to >>> >> access >> >>> their private pictures, without gaining full control of the user >>> account. >>> >>> OAuth consists of: >>> * A mechanism for exchanging a user's credentials for a token- >>> >> secret >> >>> pair that can be used by a third party to access resources on their >>> behalf. >>> * A mechanism for signing HTTP requests with the token-secret pair. >>> >>> The Working Group will produce one or more documents suitable for >>> consideration as Proposed Standard, based upon the OAuth I-D, that >>> >> will: >> >>> * Align OAuth with the Internet and Web architectures, best >>> >> practices >> >>> and terminology. >>> * Assure good security practice, or document gaps in its >>> >> capabilities, >> >>> and propose a path forward for addressing the gap. >>> * Promote interoperability. >>> * Provide guidelines for extensibility. >>> >>> This specifically means that as a starting point for the working >>> >> group >> >>> the OAuth 1.0 specification is used and the available extension >>> >> points >> >>> are going to be utilized. It seems desireable to profile OAuth 1.0 in >>> >> a >> >>> way that produces a specification that is a backwards compatible >>> profile, i.e. an OAuth 1.0 implementation and the specification >>> >> produced >> >>> by this group must support a basic set of features to guarantee >>> interoperability. >>> >>> Furthermore, OAuth 1.0 defines three signature methods used to >>> >> protect >> >>> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will >>> >> work >> >>> on new signature methods and will describe the environments where new >>> security requirements justify their usage. Existing signature methods >>> will not be modified but may be dropped as part of the backwards >>> compatible profiling activity. The applicability of existing and new >>> signature methods to protocols other than HTTP will be investigated. >>> >>> In doing so, it should consider: >>> * Implementer experience. >>> * Existing uses of OAuth. >>> * Ability to achieve broad impementation. >>> * Ability to address broader use cases than may be contemplated by >>> >> the >> >>> original authors. >>> * Impact on the Internet and Web. >>> >>> The Working Group is not tasked with defining a generally applicable >>> HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio), >>> and should consider this work out of scope in its discussions. >>> >> However, >> >>> if the deliverables are able to be factored in such a way that this >>> >> is a >> >>> byproduct, or such a scenario could be addressed by additional future >>> work, the Working Group may choose to do so. >>> >>> After delivering OAuth, the Working Group may consider defining >>> additional functions and/or extensions, for example (but not limited >>> to): >>> * Discovery of authentication configuration. >>> * Message integrity. >>> * Recommendations regarding the structure of the token. >>> >>> Goals and Milestones: >>> >>> Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as >>> working group item >>> (draft-hammer-oauth will be used as a starting point for >>> further work.) >>> Sep 2009 Start Working Group Last Call on 'OAuth: HTTP >>> >> Authorization >> >>> Delegation Protocol' >>> Sep 2009 Discusion about OAUTH extensions the group should work on >>> Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to >>> the IESG for consideration as a Proposed Standard >>> Nov 2009 Prepare milestone update to start new work within the >>> >> scope >> >>> of the charter >>> _______________________________________________ >>> oauth mailing list >>> oauth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > >
- [oauth] Last Call for Comments: OAuth Charter Text Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Last Call for Comments: OAuth Charter… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Last Call for Comments: OAuth Charter… Stephen Farrell
- Re: [oauth] Last Call for Comments: OAuth Charter… George Fletcher
- Re: [oauth] Last Call for Comments: OAuth Charter… Eran Hammer-Lahav
- Re: [oauth] Last Call for Comments: OAuth Charter… George Fletcher
- Re: [oauth] Last Call for Comments: OAuth Charter… Eran Hammer-Lahav
- Re: [oauth] Last Call for Comments: OAuth Charter… Aaron Stone
- Re: [oauth] Last Call for Comments: OAuth Charter… Hannes Tschofenig
- Re: [oauth] Last Call for Comments: OAuth Charter… Tschofenig, Hannes (NSN - FI/Espoo)