Re: [OAUTH-WG] OAuth 2.0 / Charter
Peter Saint-Andre <stpeter@stpeter.im> Mon, 30 November 2009 19:59 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19CB03A693F for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:59:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.558
X-Spam-Level:
X-Spam-Status: No, score=-2.558 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWcUot-6CKtx for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 11:59:02 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E99CC3A68C9 for <oauth@ietf.org>; Mon, 30 Nov 2009 11:59:01 -0800 (PST)
Received: from dhcp-64-101-72-196.cisco.com (dhcp-64-101-72-196.cisco.com [64.101.72.196]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 50E5040D26; Mon, 30 Nov 2009 12:58:53 -0700 (MST)
Message-ID: <4B1423FB.2070506@stpeter.im>
Date: Mon, 30 Nov 2009 12:58:51 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <90C41DD21FB7C64BB94121FBBC2E72343785209A24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <48AE706BD74FCC4297AD778805CA46F6184C5CF474@usps.sonoa.local> <90C41DD21FB7C64BB94121FBBC2E72343785209A5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1407A7.9040907@cs.tcd.ie>
In-Reply-To: <4B1407A7.9040907@cs.tcd.ie>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms050805050402060502050000"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 / Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 19:59:03 -0000
<hat type='chair'/> On 11/30/09 10:57 AM, Stephen Farrell wrote: > While I think the general goal seems ok, and perhaps even better, I do think it is worthwhile to have a discussion about the proper "general goal" for this WG, especially given the changing landscape regarding OAuth[-ish] technologies. > I do wonder whether its reasonable to re-charter a WG that has > never formally met face to face, The chairs take responsibility for the lack of a meeting, but I can guarantee you that the group will meet at IETF 77. > nor met any of its current > milestones. Given that the WG was chartered on May 13, it was perhaps a bit aggressive to "Submit 'OAuth: HTTP Authorization Delegation Protocol' as working group item" in Apr 2009. :) Based on list discussion in May and June, we came to consensus to split draft-hammer-oauth into two specifications, which Eran did in early July, resulting in draft-ietf-oauth-authentication and draft-ietf-oauth-web-delegation as WG items. We've had quite a bit of discussion about those on the list, but it seems to me that the discussion here and elsewhere has led to a desire for something more than a simple, backwards-compatible specification of "OAuth 1.1" as described in the charter. In particular, the scope of "OAuth 1.1" appears to have been limited to improving terminology, embodying good security practices, promoting interoperability, and providing guidelines for extensibility. > It may be, I'm just not sure, but what's the reason for not > finishing OAuth 1.1 first? (The fact that you "see no value" > doesn't explain it to me at least.) I agree that we need to get the reasons out on the table so that we can have an open discussion about problems and objectives. > I also find the following a bit puzzling: > > Eran Hammer-Lahav wrote: >> Keep in mind that we are not going to include token structure in scope. >> We are simply proposing a method in which the token is a string, leaving >> it up to other efforts to give it structure if needed. > > What other efforts? How would the implementer of an RFC achieve > interoperability? Wouldn't we need to be able to answer that before > proceeding? Those are good questions. > To answer your specific questions: > >> - Is this approach favorable by the group? > > Maybe. > >> - Do we need to adjust the language in the charter to support? > > Definitely IMO. The current charter talks about striving to > maintain backwards compatibility etc. The charter also says: However, changes that are not backwards compatible might be accepted if the group determines that the changes are required to meet the group's technical objectives and the group clearly documents the reasons for making them. That implies the need to, above all, clarify the group's technical objectives. IMHO the problem statement is not fully clear in the existing charter, and furthermore it appears that some people now might be trying to solve related but somewhat different problems with OAuth (or something similar enough to OAuth that it can retain the name). That might be either exciting or worrisome, depending on your perspective. Peter -- Peter Saint-Andre https://stpeter.im/
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] OAuth 2.0 / Charter Hans Granqvist
- [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Paul C. Bryan
- Re: [OAUTH-WG] OAuth 2.0 / Charter Manger, James H
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Moore, Jonathan (CIM)
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Paul Lindner
- Re: [OAUTH-WG] OAuth 2.0 / Charter Pelle Braendgaard
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Stephen Farrell
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Richard Barnes
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Moore, Jonathan (CIM)
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] OAuth 2.0 / Charter Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Phillip Hallam-Baker
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Dick Hardt
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Kemp
- Re: [OAUTH-WG] OAuth 2.0 / Charter Dick Hardt
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Dick Hardt
- Re: [OAUTH-WG] OAuth 2.0 / Charter Peter Saint-Andre
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Prateek Mishra
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … John Panzer
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Ben Laurie
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter John Panzer
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Brian Eaton
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Eran Hammer-Lahav
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Igor Faynberg
- Re: [OAUTH-WG] OAuth 2.0 / Charter Pelle Braendgaard
- Re: [OAUTH-WG] OAuth 2.0 / Charter Leah Culver
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Pelle Braendgaard
- Re: [OAUTH-WG] OAuth 2.0 / Charter Breno
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Igor Faynberg
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 / Charter Peter Saint-Andre
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Peter Saint-Andre
- Re: [OAUTH-WG] keeping support for RSA (Was: RE: … Peter Saint-Andre