Re: [oauth] Charter Proposal v2
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 05 February 2009 16:56 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D57928C15D for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 08:56:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.243
X-Spam-Level:
X-Spam-Status: No, score=-0.243 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epLIYk1AJLwj for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 08:56:43 -0800 (PST)
Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id D85973A6840 for <oauth@ietf.org>; Thu, 5 Feb 2009 08:56:42 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id AC524100415A6; Thu, 5 Feb 2009 16:56:21 +0000 (GMT)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJFNXgiAJuue; Thu, 5 Feb 2009 16:56:20 +0000 (GMT)
Received: from [192.168.3.55] (unknown [192.168.3.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.newbay.com (Postfix) with ESMTP id 68BF01004073D; Thu, 5 Feb 2009 16:56:20 +0000 (GMT)
Message-ID: <498B1AC9.6020600@cs.tcd.ie>
Date: Thu, 05 Feb 2009 16:58:49 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <3D3C75174CB95F42AD6BCC56E5555B45FFEF34@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B45FFEF34@FIESEXC015.nsn-intra.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [oauth] Charter Proposal v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2009 16:56:44 -0000
Hi Hannes, That's pretty good. A bunch of nits below. Stephen. Tschofenig, Hannes (NSN - FI/Espoo) wrote: > Based on the feedback I have updated the charter text proposal > > ---------- > > Open Authentication Protocol (oauth) > > Last Modified: 2009-01-30 > > Chair(s): > > TBD > > Applications Area Director(s): > > Chris Newman <chris.newman@sun.com> > Lisa Dusseault <lisa@osafoundation.org> > > Applications Area Advisor: > > TBD > > Mailing Lists: > > https://www.ietf.org/mailman/listinfo/oauth > > Description of Working Group: > > OAuth allows a user to grant a third-party Web site or application > access to their resources, without revealing their credentials, or even s/without/without necessarily/ esp. wrt identity, which may be apparent from the URLs or lower-layer addresses involved. > their identity. For example, a photo-sharing site that supports OAuth > would allow its users to use a third-party printing Web site to access > their private pictures, without gaining full control of the user > account. > > OAuth consists of: > * A mechanism for exchanging a user's credentials for a token-secret > pair which can be used by a third party to access resources on their > behalf > * A mechanism for signing HTTP requests with the token-secret pair > > The Working Group will produce one or more documents suitable for > consideration as Proposed Standard, based upon the OAuth I-D, that will: I think referring by name to draft-hammer-oauth would be better there, so folks on the IETF list can more easily check it out later. > * Align OAuth with the Internet and Web architectures, best practices > and terminology Hmmm...that's very open-ended. I'd fear that this leaves a WG open to people constantly carping that such-and-such isn't best practice. Minimally, I think there is work on the terminology needed, but I'm not sure what else you had in mind here. I'd suggest deleting this bullet and adding one along the lines of: * Improve the terminology used > * Assure good security practice, or document gaps in its capabilities s/Assure/Embody/ as-is, it claims we'll make sure that running systems are "secure" which we can't do > * Promote interoperability > * Provide guidelines for extensibility > > This specifically means that as a starting point for the working group > the OAuth 1.0 specification is used and the available extension points > are going to be utilized. It seems desireable to profile OAuth 1.0 in a s/It seems desirable to/The WG will/ I think there was a clear consensus on that at the BoF. > way that produces a specification that is a backwards compatible > profile, i.e. any OAUTH 1.0 and the specification produced by this group > must support a basic set of features to guarantee interoperability. > > Furthermore, Oauth 1.0 defines three signature methods used to protect > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work > on new signature methods in case the existing mechanisms do not fulfill > the security requirements. Existing signature methods will not be > modified but may be dropped as part of the backwards compatible > profiling activity. > > In doing so, it should consider: > * Implementer experience > * Existing uses of OAuth > * Ability to achieve broad impementation > * Ability to address broader use cases than may be contemplated by the > original authors > * Impact on the Internet and Web I'd argue to delete the last bullet above since that's implicit in all IETF WGs and if specifically called out is yet another place where people could quibble endlessly. > > The Working Group is not tasked with defining a generally applicable > HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio), > and should consider this work out of scope in its discussions. However, > if the deliverables are able to be factored in such a way that this is a > byproduct, or such a scenario could be addressed by additional future > work, the Working Group may choose to do so. > > After delivering OAuth, the Working Group may consider defining > additional functions and/or extensions, for example (but not limited > to): > * Discovery of authentication configuration > * Message integrity > * Recommendations regarding the structure of the token > > Goals and Milestones: > > 12/2009 Submit document(s) suitable for publication as > standards-track RFCs. > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [oauth] Charter Proposal v2 Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [oauth] Charter Proposal v2 Stephen Farrell