Re: [oauth] Updated OAuth Charter Text
Peter Saint-Andre <stpeter@stpeter.im> Tue, 07 April 2009 15:32 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCE383A67DF for <oauth@core3.amsl.com>; Tue, 7 Apr 2009 08:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXz866ObLyJf for <oauth@core3.amsl.com>; Tue, 7 Apr 2009 08:32:41 -0700 (PDT)
Received: from dizzyd.com (dizzyd.com [207.210.219.225]) by core3.amsl.com (Postfix) with ESMTP id 4FE253A67A6 for <oauth@ietf.org>; Tue, 7 Apr 2009 08:32:41 -0700 (PDT)
Received: from wrk165.corp.jabber.com (dencfw1.jabber.com [207.182.164.5]) (Authenticated sender: stpeter) by dizzyd.com (Postfix) with ESMTPSA id BB9A2E800D; Tue, 7 Apr 2009 09:33:47 -0600 (MDT)
Message-ID: <49DB725A.9000102@stpeter.im>
Date: Tue, 07 Apr 2009 09:33:46 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <3D3C75174CB95F42AD6BCC56E5555B45013E80AA@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B45013E80AA@FIESEXC015.nsn-intra.net>
X-Enigmail-Version: 0.95.7
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms030905070308040601010602"
Cc: oauth@ietf.org
Subject: Re: [oauth] Updated OAuth Charter Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2009 15:32:42 -0000
Nits inline. On 4/7/09 8:12 AM, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > Based on the discussions during the IETF meeting we have updated the > charter text. > > There are two changes worth mentioning: > > ** Backwards Compatibility ** > > I tried to clarify the term backwards compatibility based on text > provided by Peter Saint-Andre. Peter had some experience with this topic > already in the context of XMPP and I believe that the text they have > used in their original charter fits quite well. > > ** 2-Legged Scenario ** > > Initially, the 2-legged scenario was out-of-scope. The opinion changed > and folks are now interested to also work on this use case within this > group. > > > > Here is the new version: > > --------------------------- > > > Open Authentication Protocol (oauth) > > Last Modified: 2009-04-06 > > Chair(s): > > TBD > > Applications Area Director(s): > > Alexey Melnikov <alexey.melnikov@isode.com> > Lisa Dusseault <lisa@osafoundation.org> > > Applications Area Advisor: > > TBD > > Mailing Lists: > > https://www.ietf.org/mailman/listinfo/oauth > > Description of Working Group: > > OAuth allows a user to grant a third-party Web site or application > access to their resources, without necessarily revealing their > credentials, or even their identity. For example, a photo-sharing site > that supports OAuth would allow its users to use a third-party printing > Web site to access their private pictures, without gaining full control > of the user account. > > OAuth consists of: > * A mechanism for exchanging a user's credentials for a token-secret > pair which can be used by a third party to access resources on their > behalf. For clarity, I would change "their" to "the user's". > * A mechanism for signing HTTP requests with the token-secret pair. > > The Working Group will produce one or more documents suitable for > consideration as Proposed Standard that will: > * Improve the terminology used. > * Embody good security practice, or document gaps in its capabilities, > and propose a path forward for addressing the gap. I would change "the gap" to "those gaps". > * Promote interoperability. Is this an actionable guideline? > * Provide guidelines for extensibility. > > This specifically means that as a starting point for the working group > OAuth 1.0 (i.e., draft-hammer-oauth-00.txt), which is a copy of the > original OAuth specification in IETF draft format, is used and the > available extension points are going to be utilized. That's a somewhat long and confusing sentence. :) I'd be happy to suggest something that might be a bit more readable. We seem to be assuming that the result of the WG activity will be "OAuth 1.1", which further assumes that versioning is well-defined in OAuth. Is that the case, or is definition of versioning in scope for the group? Could we specify a bit more clearly what we mean by "the available extension points"? Are those other documents, or places in OAuth 1.0 where extensibility can occur? > In completing its > work to profile OAuth 1.0 to become OAuth 1.1, the group will strive to > retain backwards compatibility with the OAuth 1.0 specification. > However, changes that are not backwards compatible might be accepted if > the group determines that the changes are required to meet the group's > technical objectives and the group clearly documents the reasons for > making them. > > Furthermore, OAuth 1.0 defines three signature methods used to protect > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work > on new signature methods Why? Because HMAC-SHA1 and RSA-SHA1 have known vulnerabilities, or because agility is desiable here? > and will describe the environments where new > security requirements justify their usage. Existing signature methods > will not be modified but may be dropped as part of the backwards > compatible profiling activity. The applicability of existing and new > signature methods to protocols other than HTTP will be investigated. > > The Working Group should consider: > * Implementer experience. > * The end-user experience, including internationalization. > * Existing uses of OAuth. > * Ability to achieve broad implementation. > * Ability to address broader use cases than may be contemplated by the > original authors. > > After delivering OAuth 1.1, the Working Group may consider defining > additional functions and/or extensions, for example (but not limited > to): > * Discovery of OAuth configuration, e.g., > http://oauth.net/discovery/1.0. > * Comprehensive message integrity, e.g., > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.htm > l. > * Recommendations regarding the structure of the token. > * Localization, e.g., > http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/ > 2/spec.html. > * Session-oriented tokens, e.g., > http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > * Alternate token exchange profiles, e.g., > draft-dehora-farrell-oauth-accesstoken-creds-00. I'm leery of this long list, which is only a list of *possible* work items ("for example, but not limited to"). Perhaps it makes more sense to not mention extensions until "OAuth 1.1" is complete? At time it might be appropriate to recharter the group and work on new features and extensions. > The work on extensions is within the scope of the working group charter > and requires consensus within the group to add new milestones. But which extensions are in scope? IMHO it's best to tightly define the charter, especially the initial charter. The group can always be rechartered later. > The Working Group will also define a generally applicable HTTP > authentication mechanism (i.e., browser-based "2-leg" scenerio). Is there a draft to refer to here? What is the 2-leg scenario? This might be a term of art, but it is undefined in the charter. > Goals and Milestones: > > Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as > working group item > (draft-hammer-oauth will be used as a starting point for > further work.) No need to say this here, since we said it above. > Jul 2009 Submit a document as a working group item providing the > functionality of the 2-legged HTTP authentication mechanism Undefined (see above). And now it is referred to as authentication. This might lead some to think that work on authentication is being smuggled in the back door ("doesn't the IETF already have some authentication protocols defined in both HTTP and SASL?"). > Jul 2009 Start of discussion about OAuth extensions the group should > work on > Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization > Delegation Protocol' > Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to > the IESG for consideration as a Proposed Standard > Nov 2009 Start Working Group Last Call on the 2-legged HTTP > authentication mechanism document > Nov 2009 Prepare milestone update to start new work within the scope > of the charter Is that perhaps better as a recharter? > Dec 2009 Submit 2-legged HTTP authentication mechanism document to > the IESG for consideration as a Proposed Standard See above. Thanks for the text! Peter -- Peter Saint-Andre https://stpeter.im/
- [oauth] Updated OAuth Charter Text Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Updated OAuth Charter Text Peter Saint-Andre
- Re: [oauth] Updated OAuth Charter Text Stephen Farrell
- Re: [oauth] Updated OAuth Charter Text Peter Saint-Andre
- Re: [oauth] Updated OAuth Charter Text Eran Hammer-Lahav