Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
Phil Hunt <phil.hunt@oracle.com> Wed, 14 May 2014 17:30 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15D21A014C for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:30:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.841
X-Spam-Level:
X-Spam-Status: No, score=-4.841 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAJGAPO3iZ0a for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:30:14 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8C71A0134 for <oauth@ietf.org>; Wed, 14 May 2014 10:30:14 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s4EHU5qh002743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 May 2014 17:30:06 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s4EHU4JH013904 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 May 2014 17:30:05 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s4EHU4X9001740; Wed, 14 May 2014 17:30:04 GMT
Received: from [192.168.1.188] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 May 2014 10:30:03 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_842A30A8-B336-4B74-8A54-1D792DC53D23"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5373A674.1060700@aol.com>
Date: Wed, 14 May 2014 10:29:58 -0700
Message-Id: <E604E118-9482-4C18-8485-E946AE7B6640@oracle.com>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <84B60891-F9E1-4183-9031-8BED6315C70F@mit.edu> <-968574624925308911@unknownmsgid> <5373A674.1060700@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Mailer: Apple Mail (2.1874)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/v6IzbEi85jp-50wnOJFy0oZcxb0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 17:30:17 -0000
This is not an authentication mechanism - it is a method for providing end-user authentication information to client applications. I will publish a revised draft shortly. Phil @independentid www.independentid.com phil.hunt@oracle.com On May 14, 2014, at 10:23 AM, George Fletcher <gffletch@aol.com> wrote: > I also would like to see the WG not focus on another authentication mechanism and instead look at work like Brian suggested. > > Thanks, > George > > On 5/14/14, 11:41 AM, Chuck Mortimore wrote: >> Agree with Brian and Justin here. Work is already covered in Connect >> >> - cmort >> >> On May 14, 2014, at 8:39 AM, Justin Richer <jricher@mit.edu> wrote: >> >>> I agree with Brian and object to the Authentication work item. I think there’s limited interest and utility in such a draft, especially now that OpenID Connect has been published and its core authentication capabilities are identical to what was called for in the other draft a year ago (a similarity, I’ll add, which was noted at the time). >>> >>> — Justin >>> >>> On May 14, 2014, at 8:24 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: >>> >>>> I would object to 'OAuth Authentication' being picked up by the WG as a work item. The starting point draft has expired and it hasn't really been discusses since Berlin nearly a year ago. As I recall, there was only very limited interest in it even then. I also don't believe it fits well with the WG charter. >>>> >>>> I would suggest the WG consider picking up 'OAuth Symmetric Proof of Possession for Code Extension' for which there is an excellent starting point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a relativity simple security enhancement which addresses problems currently being encountered in deployments of native clients. >>>> >>>> >>>> >>>> >>>> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >>>> Hi all, >>>> >>>> you might have seen that we pushed the assertion documents and the JWT >>>> documents to the IESG today. We have also updated the milestones on the >>>> OAuth WG page. >>>> >>>> This means that we can plan to pick up new work in the group. >>>> We have sent a request to Kathleen to change the milestone for the OAuth >>>> security mechanisms to use the proof-of-possession terminology. >>>> >>>> We also expect an updated version of the dynamic client registration >>>> spec incorporating last call feedback within about 2 weeks. >>>> >>>> We would like you to think about adding the following milestones to the >>>> charter as part of the re-chartering effort: >>>> >>>> ----- >>>> >>>> Nov 2014 Submit 'Token introspection' to the IESG for consideration as a >>>> Proposed Standard >>>> Starting point: <draft-richer-oauth-introspection-04> >>>> >>>> Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as >>>> a Proposed Standard >>>> Starting point: <draft-hunt-oauth-v2-user-a4c-01> >>>> >>>> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a >>>> Proposed Standard >>>> Starting point: <draft-jones-oauth-token-exchange-00> >>>> >>>> ----- >>>> >>>> We also updated the charter text to reflect the current situation. Here >>>> is the proposed text: >>>> >>>> ----- >>>> >>>> Charter for Working Group >>>> >>>> >>>> The Web Authorization (OAuth) protocol allows a user to grant a >>>> third-party Web site or application access to the user's protected >>>> resources, without necessarily revealing their long-term credentials, >>>> or even their identity. For example, a photo-sharing site that >>>> supports OAuth could allow its users to use a third-party printing Web >>>> site to print their private pictures, without allowing the printing >>>> site to gain full control of the user's account and without having the >>>> user share his or her photo-sharing sites' long-term credential with >>>> the printing site. >>>> >>>> The OAuth 2.0 protocol suite encompasses >>>> >>>> * a protocol for obtaining access tokens from an authorization >>>> server with the resource owner's consent, >>>> * protocols for presenting these access tokens to resource server >>>> for access to a protected resource, >>>> * guidance for securely using OAuth 2.0, >>>> * the ability to revoke access tokens, >>>> * standardized format for security tokens encoded in a JSON format >>>> (JSON Web Token, JWT), >>>> * ways of using assertions with OAuth, and >>>> * a dynamic client registration protocol. >>>> >>>> The working group also developed security schemes for presenting >>>> authorization tokens to access a protected resource. This led to the >>>> publication of the bearer token, as well as work that remains to be >>>> completed on proof-of-possession and token exchange. >>>> >>>> The ongoing standardization effort within the OAuth working group will >>>> focus on enhancing interoperability and functionality of OAuth >>>> deployments, such as a standard for a token introspection service and >>>> standards for additional security of OAuth requests. >>>> >>>> ----- >>>> >>>> Feedback appreciated. >>>> >>>> Ciao >>>> Hannes & Derek >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Brian Campbell >>>> Portfolio Architect >>>> @ bcampbell@pingidentity.com >>>> +1 720.317.2061 >>>> Connect with us… >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > -- > <XeC.html> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Milestone Update and Rechartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Bill Mills
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… George Fletcher
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anil Saldhana
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Paul Madsen
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Prateek Mishra
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell