IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.0 / Charter

Peter Saint-Andre <stpeter@stpeter.im> Mon, 30 November 2009 19:59 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19CB03A693F for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:59:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.558
X-Spam-Level:
X-Spam-Status: No, score=-2.558 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWcUot-6CKtx for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:59:02 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E99CC3A68C9 for <oauth@ietf.org>; Mon, 30 Nov 2009 11:59:01 -0800 (PST)
Received: from dhcp-64-101-72-196.cisco.com (dhcp-64-101-72-196.cisco.com [64.101.72.196]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 50E5040D26; Mon, 30 Nov 2009 12:58:53 -0700 (MST)
Message-ID: <4B1423FB.2070506@stpeter.im>
Date: Mon, 30 Nov 2009 12:58:51 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <90C41DD21FB7C64BB94121FBBC2E72343785209A24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <48AE706BD74FCC4297AD778805CA46F6184C5CF474@usps.sonoa.local> <90C41DD21FB7C64BB94121FBBC2E72343785209A5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1407A7.9040907@cs.tcd.ie>
In-Reply-To: <4B1407A7.9040907@cs.tcd.ie>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms050805050402060502050000"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 / Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 19:59:03 -0000

<hat type='chair'/>

On 11/30/09 10:57 AM, Stephen Farrell wrote:
> While I think the general goal seems ok, and perhaps even better,

I do think it is worthwhile to have a discussion about the proper
"general goal" for this WG, especially given the changing landscape
regarding OAuth[-ish] technologies.

> I do wonder whether its reasonable to re-charter a WG that has
> never formally met face to face, 

The chairs take responsibility for the lack of a meeting, but I can
guarantee you that the group will meet at IETF 77.

> nor met any of its current
> milestones.

Given that the WG was chartered on May 13, it was perhaps a bit
aggressive to "Submit 'OAuth: HTTP Authorization Delegation Protocol' as
working group item" in Apr 2009. :)

Based on list discussion in May and June, we came to consensus to split
draft-hammer-oauth into two specifications, which Eran did in early
July, resulting in draft-ietf-oauth-authentication and
draft-ietf-oauth-web-delegation as WG items. We've had quite a bit of
discussion about those on the list, but it seems to me that the
discussion here and elsewhere has led to a desire for something more
than a simple, backwards-compatible specification of "OAuth 1.1" as
described in the charter. In particular, the scope of "OAuth 1.1"
appears to have been limited to improving terminology, embodying good
security practices, promoting interoperability, and providing guidelines
for extensibility.

> It may be, I'm just not sure, but what's the reason for not
> finishing OAuth 1.1 first? (The fact that you "see no value"
> doesn't explain it to me at least.)

I agree that we need to get the reasons out on the table so that we can
have an open discussion about problems and objectives.

> I also find the following a bit puzzling:
> 
> Eran Hammer-Lahav wrote:
>> Keep in mind that we are not going to include token structure in scope.
>> We are simply proposing a method in which the token is a string, leaving
>> it up to other efforts to give it structure if needed.
> 
> What other efforts? How would the implementer of an RFC achieve
> interoperability? Wouldn't we need to be able to answer that before
> proceeding?

Those are good questions.

> To answer your specific questions:
> 
>> - Is this approach favorable by the group?
> 
> Maybe.
> 
>> - Do we need to adjust the language in the charter to support?
> 
> Definitely IMO. The current charter talks about striving to
> maintain backwards compatibility etc.

The charter also says:

  However, changes that are not backwards
  compatible might be accepted if the group determines that
  the changes are required to meet the group's technical
  objectives and the group clearly documents the reasons for
  making them.

That implies the need to, above all, clarify the group's technical
objectives. IMHO the problem statement is not fully clear in the
existing charter, and furthermore it appears that some people now might
be trying to solve related but somewhat different problems with OAuth
(or something similar enough to OAuth that it can retain the name). That
might be either exciting or worrisome, depending on your perspective.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email