Re: [OAUTH-WG] OAuth 2.0 / Charter
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 30 November 2009 19:33 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9B273A695A for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.464
X-Spam-Level:
X-Spam-Status: No, score=-2.464 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhZnpWiF9gmk for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:33:20 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A0CE03A6916 for <oauth@ietf.org>; Mon, 30 Nov 2009 11:33:20 -0800 (PST)
Received: (qmail 26790 invoked from network); 30 Nov 2009 19:33:13 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 30 Nov 2009 19:33:12 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 30 Nov 2009 12:33:11 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Greg Brail <gbrail@sonoasystems.com>
Date: Mon, 30 Nov 2009 12:33:15 -0700
Thread-Topic: OAuth 2.0 / Charter
Thread-Index: AcpwydwemcwGclDiS3iUrmJW9KSv5AArlwTgAAXaE8AAFPHpgAAEHj5Q
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785209B8E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343785209A24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <48AE706BD74FCC4297AD778805CA46F6184C5CF474@usps.sonoa.local> <90C41DD21FB7C64BB94121FBBC2E72343785209A5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <48AE706BD74FCC4297AD778805CA46F6184C5CF49B@usps.sonoa.local>
In-Reply-To: <48AE706BD74FCC4297AD778805CA46F6184C5CF49B@usps.sonoa.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343785209B8EP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 / Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 19:33:28 -0000
SWT is one. http://groups.google.com/group/oauth-wrap-wg EHL From: Greg Brail [mailto:gbrail@sonoasystems.com] Sent: Monday, November 30, 2009 9:35 AM To: Eran Hammer-Lahav Cc: OAuth WG (oauth@ietf.org) Subject: RE: OAuth 2.0 / Charter Thanks for the clarification. I do think that a standard token structure would be a good thing for the Internet in general. Is there another effort I should be following regarding the token structure itself? ________________________________ From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] Sent: Monday, November 30, 2009 2:36 AM To: Greg Brail Cc: OAuth WG (oauth@ietf.org) Subject: RE: OAuth 2.0 / Charter Keep in mind that we are not going to include token structure in scope. We are simply proposing a method in which the token is a string, leaving it up to other efforts to give it structure if needed. EHL From: Greg Brail [mailto:gbrail@sonoasystems.com] Sent: Sunday, November 29, 2009 9:05 PM To: Eran Hammer-Lahav Cc: OAuth WG (oauth@ietf.org) Subject: RE: OAuth 2.0 / Charter I've been following this discussion for a while now as a relative newcomer and I think this is a great idea. Forgive me if all you guys have reached this conclusion already: Since we all understand OAuth, there are other places where tokens are popping up: * As a "more secure" replacement for username / password authentication in web services APIs like Amazon's * As a way for the developer of an API to understand which developer's applications are being used against the API, when it is less important to identify the actual user (for instance, the classical "API key" use case, or "two-legged OAuth") * As a way for the developer of a mobile app to ensure that only that app can make use of a particular web service, even if it is not important to identify the actual user * Lots of others I'm sure I'm missing The sooner there is some movement towards a standard "token," the sooner we will have token support in a variety of programming environments. Plus, a standard token will reduce the propensity of web services builders to design their own tokens, with varying levels of security. Plus, the OAuth flow has clearly proven to be useful and it deserves to be a standard that makes use of the standard token. On the design of the token itself, I hope that it will have a place for one, two, or even more combinations of keys and secrets, so that it can handle simple use cases, more complex use cases such as OAuth, and even those that require three or more separate identifiers for a request. greg -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Sunday, November 29, 2009 2:59 AM To: Peter Saint-Andre (stpeter@stpeter.im); Lisa Dusseault (lisa.dusseault@gmail.com) Cc: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] OAuth 2.0 / Charter With the cleanup of the 1.0 specification [1] and the publication of an informational RFC (pending IESG approval), I no longer see value in a standard closely based on the 1.0 specification, which was the original intention of this WG. This is also reflected by the recent interest in the WRAP proposal [2]. Instead, I think we should develop two specifications that while closely in line with the original plan, represent a significant shift. In other words, I am proposing we develop OAuth 2.0, not 1.1. The new proposal is to develop two specifications: 1. Token Authorization Method An RFC 2617 Authorization header called 'Token' for authenticating requests with token-based credentials. Tokens (with optional shared-secret) are usually used in place of other credentials (usernames, etc.) and represent some combination of scope and authorization. The token method will include an extensible signature-based option based on the HMAC-SHA1 method, and a bearer token (with optional secret) option based on the PLAINTEXT method. The RSA option will be dropped. 2. OAuth 2.0 A specification based on the browser-redirection flow described in OAuth 1.0 as well as new methods defined in WRAP (I-D submission pending). OAuth will be redefined to cover the authorization component only, and will no longer be bound to a single authentication method. This will make OAuth immediately useful for other protocols than HTTP (while HTTP will be used to obtain tokens, tokens will be useful in other protocols, not just with the HTTP and Token method). --- While the current charter allows much of this work, it contradicts its spirit and the understanding reached when we created the working group. I would like to ask: - Is this approach favorable by the group? - Do we need to adjust the language in the charter to support? EHL [1] http://tools.ietf.org/html/draft-hammer-oauth [2] http://bit.ly/oauth-wrap _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] OAuth 2.0 / Charter Hans Granqvist
- [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Paul C. Bryan
- Re: [OAUTH-WG] OAuth 2.0 / Charter Manger, James H
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Moore, Jonathan (CIM)
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Paul Lindner
- Re: [OAUTH-WG] OAuth 2.0 / Charter Pelle Braendgaard
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Stephen Farrell
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Moore, Jonathan (CIM)
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Phillip Hallam-Baker
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Dick Hardt
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] OAuth 2.0 / Charter Dick Hardt
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Dick Hardt
- Re: [OAUTH-WG] OAuth 2.0 / Charter Peter Saint-Andre
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Prateek Mishra
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … John Panzer
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Ben Laurie
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Igor Faynberg
- Re: [OAUTH-WG] OAuth 2.0 / Charter Pelle Braendgaard
- Re: [OAUTH-WG] OAuth 2.0 / Charter Leah Culver
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Pelle Braendgaard
- Re: [OAUTH-WG] OAuth 2.0 / Charter Breno
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Igor Faynberg
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Peter Saint-Andre
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Peter Saint-Andre
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Peter Saint-Andre