Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 09 May 2012 14:27 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49BD11E8072 for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 07:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDx5jjHbcTRR for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 07:27:04 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 92CEB21F85B8 for <oauth@ietf.org>; Wed, 9 May 2012 07:27:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id D35F7171536; Wed, 9 May 2012 15:27:03 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1336573623; bh=Q3YmNGfijcqbit 8TJaDTULMhRUEa/omBfRYnTSfTHlY=; b=bTYrpEOKVxedn4/CS7mZL2KB6OrBf1 CjG2ODnDCU4zVK5DXo1BxOPE3D9w9UN8VxuH3CA7B2+ngzn7hDHaLjNIvzJLJZVu ZSSGLLsjZz+mdrzKJk3D+HhysQ20T7xzH8lu1e1VqjLi9wJezldshKlvRxLVhQts YnA9j4Qa/S2gX2Gi7S1Xa1/nauIw9EpwepLJA9hdPLecxL39SuxVcj2uZLGYejNb UW+HfHFLBYaAkoIppa6ZlsCkCTgFTXvTY8/qZ+m3WvxGmM/i1ciwbSuaMDcWje+2 h3OzgjanFnNXy5Ka4yLkMF1j0glNjGnk16jWSfcK0d1wi3gDj08PRXxQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id mozl64R5yN6u; Wed, 9 May 2012 15:27:03 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 61430171512; Wed, 9 May 2012 15:27:02 +0100 (IST)
Message-ID: <4FAA7EB6.6050604@cs.tcd.ie>
Date: Wed, 09 May 2012 15:27:02 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
References: <20120503181339.17651.84259.idtracker@ietfa.amsl.com> <CALaySJKLytyKdS=AUpa5wgRNBe96sHgZ1n0kGnO8fWyU4p-=vQ@mail.gmail.com>
In-Reply-To: <CALaySJKLytyKdS=AUpa5wgRNBe96sHgZ1n0kGnO8fWyU4p-=vQ@mail.gmail.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Internal WG Review: Recharter of Web Authorization Protocol (oauth)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 14:27:06 -0000
Hi, There's been a bit of IESG comment on the proposed new charter resulting in a few editorial changes. So just in case, the text below is what I'd like to propose for approval on Thursday. Let me know if there's anything substantively wrong here, in which case, we'll probably want to re-spin the text and I'll put it back for consideration on the following IESG meeting (another two weeks). Thanks, Stephen. > ------------------------------------------ > Web Authorization Protocol (oauth) > ------------------------------------------ > Current Status: Active > Last updated: 2012-05-03 > > Chairs: > Hannes Tschofenig <Hannes.Tschofenig@gmx.net> > Derek Atkins <derek@ihtfp.com> > > Security Area Directors: > Stephen Farrell <stephen.farrell@cs.tcd.ie> > Sean Turner <turners@ieca.com> > > Security Area Advisor: > Stephen Farrell <stephen.farrell@cs.tcd.ie> > > Technical Advisor: > Peter Saint-Andre <stpeter@stpeter.im> > > Mailing Lists: > Address: oauth@ietf.org > To Subscribe: https://www.ietf.org/mailman/listinfo/oauth > Archive: http://www.ietf.org/mail-archive/web/oauth/ > > Description of Working Group: > > The Web Authorization (OAuth) protocol allows a user to grant > a third-party Web site or application access to the user's protected > resources, without necessarily revealing their long-term credentials, > or even their identity. For example, a photo-sharing site that supports > OAuth could allow its users to use a third-party printing Web site to > print their private pictures, without allowing the printing site to > gain full control of the user's account and without having the user > sharing his or her photo-sharing sites' long-term credential with the > printing site. > > The OAuth protocol suite encompasses > * a procedure for allowing a client to discover a authorization server, > * a protocol for obtaining authorization tokens from an authorization > server with the resource owner's consent, > * protocols for presenting these authorization tokens to protected > resources for access to a resource, and > * consequently for sharing data in a security and privacy respective way. > > The working group also developed security schemes for presenting > authorization tokens to access a protected resource. This led to the > publication of the bearer token, as well as work that remains to be > completed on message authentication code (MAC) access > authentication and SAML assertions to interwork with existing > identity management solutions. The working group will complete > those remaining documents, and will also complete documentation > of the OAuth threat model that was started under the previous charter. > > The ongoing standardization effort within the OAuth working group > will focus on enhancing interoperability of OAuth deployments. A > standard for a token revocation service, which can be separated from > the existing web tokens to the token repertoire will enable wider > deployment of OAuth. Extended documentation of OAuth use cases > will enhance the understanding of the OAuth framework and provide > assistance to implementors. And dynamic client registration will make > it easier to broadly deploy OAuth clients (performing services to users). > > Goals and Milestones > > Done Submit 'OAuth 2.0 Threat Model and Security Considerations' as a > working group item > Done Submit 'HTTP Authentication: MAC Authentication' as a working > group item > Done Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for > consideration as a Proposed Standard > Done Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for > consideration as a Proposed Standard > > May 2012 Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to > the IESG for consideration as a Proposed Standard > May 2012 Submit 'OAuth 2.0 Assertion Profile' to the IESG for > consideration as a Proposed Standard > May 2012 Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for > consideration as a Proposed Standard > May 2012 Submit 'OAuth 2.0 Threat Model and Security Considerations' > to the IESG for consideration as an Informational RFC > Dec. 2012 Submit 'HTTP Authentication: MAC Authentication' to the IESG > for consideration as a Proposed Standard > > Aug. 2012 Submit 'Token Revocation' to the IESG for consideration as a > Proposed Standard > [Starting point for the work will be > http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/] > > Nov. 2012 Submit 'JSON Web Token (JWT)' to the IESG for consideration > as a Proposed Standard > [Starting point for the work will be > http://tools.ietf.org/html/draft-jones-json-web-token] > > Nov. 2012 Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth > 2.0' to the IESG for consideration as a Proposed Standard > [Starting point for the work will be > http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer] > > Dec. 2012 Submit 'OAuth Use Cases' to the IESG for consideration as an > Informational RFC > [Starting point for the work will be > http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases] > > Jul. 2013 Submit 'OAuth Dynamic Client Registration Protocol' to the > IESG for consideration as a Proposed Standard > [Starting point for the work will be > http://tools.ietf.org/html/draft-hardjono-oauth-dynreg] > ------------------------------------------
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Stephen Farrell
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Mike Jones
- Re: [OAUTH-WG] Internal WG Review: Recharter of W… Stephen Farrell