Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
Paul Madsen <paul.madsen@gmail.com> Wed, 14 May 2014 17:48 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E04B81A0102 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:48:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8dtAoq4wnYU for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 10:48:27 -0700 (PDT)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 46B971A02BD for <oauth@ietf.org>; Wed, 14 May 2014 10:48:27 -0700 (PDT)
Received: by mail-ie0-f175.google.com with SMTP id y20so2192747ier.20 for <oauth@ietf.org>; Wed, 14 May 2014 10:48:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=xJmZGK7euksIQI0sQfPLKpNtMnAL5Cz+wXBcDQl/i6E=; b=qMrxTeUq8EwRWTgOhnFjbX4hHnXlKNzNA1RGFdEoB+5jsQThecfDJLdOM1QDZsFfdM uk7+3UX1KZk78Bi4y0DEjDj4yZcCM8UaZ7Qsk0u+PaSDoCCcusfFUoABIZdF7bn/RBxQ 9CGBKLzmccBzjOr3okJBmaJdj3J7S/XscR82J9djwJSFhPDtjGyx1766JjVBbdDaMZpx yP/tetkFDsR2XDzgKf1lzXF9DKJVwNA/qB3KY/+aXaeMgRfXvfIjAEBC3qHvlWhoU3nK 9gJUJUVaRLeunhPtA9GqIzjdKxbiMlfsLdD1ObjNoxAvIQy5CzmtcwFHx6D9oZSdlHfi YivQ==
X-Received: by 10.42.109.8 with SMTP id j8mr3338220icp.89.1400089700454; Wed, 14 May 2014 10:48:20 -0700 (PDT)
Received: from [192.168.0.192] (CPE0022b0cb82b4-CMbc1401e98fa0.cpe.net.cable.rogers.com. [99.224.82.58]) by mx.google.com with ESMTPSA id p4sm6819377igy.7.2014.05.14.10.48.18 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 May 2014 10:48:19 -0700 (PDT)
Message-ID: <5373AC68.1070200@gmail.com>
Date: Wed, 14 May 2014 13:48:24 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <84B60891-F9E1-4183-9031-8BED6315C70F@mit.edu> <-968574624925308911@unknownmsgid> <5373A674.1060700@aol.com> <E604E118-9482-4C18-8485-E946AE7B6640@oracle.com>
In-Reply-To: <E604E118-9482-4C18-8485-E946AE7B6640@oracle.com>
Content-Type: multipart/alternative; boundary="------------020909040006050303040605"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vUitWr0HmOYN4kubsu4xp8oJvCE
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 17:48:36 -0000
Phil, neither is Connect an authentication mechanism, it (and SAML, WS-fed etc) is also a 'method for providing end-user authentication information to client applications' We don't need a Connect-- paul On 5/14/14, 1:29 PM, Phil Hunt wrote: > This is not an authentication mechanism - it is a method for providing > end-user authentication information to client applications. I will > publish a revised draft shortly. > > Phil > > @independentid > www.independentid.com <http://www.independentid.com> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > On May 14, 2014, at 10:23 AM, George Fletcher <gffletch@aol.com > <mailto:gffletch@aol.com>> wrote: > >> I also would like to see the WG not focus on another authentication >> mechanism and instead look at work like Brian suggested. >> >> Thanks, >> George >> >> On 5/14/14, 11:41 AM, Chuck Mortimore wrote: >>> Agree with Brian and Justin here. Work is already covered in Connect >>> >>> - cmort >>> >>> On May 14, 2014, at 8:39 AM, Justin Richer <jricher@mit.edu >>> <mailto:jricher@mit.edu>> wrote: >>> >>>> I agree with Brian and object to the Authentication work item. I >>>> think there's limited interest and utility in such a draft, >>>> especially now that OpenID Connect has been published and its core >>>> authentication capabilities are identical to what was called for in >>>> the other draft a year ago (a similarity, I'll add, which was noted >>>> at the time). >>>> >>>> --- Justin >>>> >>>> On May 14, 2014, at 8:24 AM, Brian Campbell >>>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >>>> >>>>> I would object to 'OAuth Authentication' being picked up by the WG >>>>> as a work item. The starting point draft has expired and it hasn't >>>>> really been discusses since Berlin nearly a year ago. As I >>>>> recall, there was only very limited interest in it even then. I >>>>> also don't believe it fits well with the WG charter. >>>>> >>>>> I would suggest the WG consider picking up 'OAuth Symmetric Proof >>>>> of Possession for Code Extension' for which there is an excellent >>>>> starting point of >>>>> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a >>>>> relativity simple security enhancement which addresses problems >>>>> currently being encountered in deployments of native clients. >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig >>>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> you might have seen that we pushed the assertion documents and >>>>> the JWT >>>>> documents to the IESG today. We have also updated the >>>>> milestones on the >>>>> OAuth WG page. >>>>> >>>>> This means that we can plan to pick up new work in the group. >>>>> We have sent a request to Kathleen to change the milestone for >>>>> the OAuth >>>>> security mechanisms to use the proof-of-possession terminology. >>>>> >>>>> We also expect an updated version of the dynamic client >>>>> registration >>>>> spec incorporating last call feedback within about 2 weeks. >>>>> >>>>> We would like you to think about adding the following >>>>> milestones to the >>>>> charter as part of the re-chartering effort: >>>>> >>>>> ----- >>>>> >>>>> Nov 2014 Submit 'Token introspection' to the IESG for >>>>> consideration as a >>>>> Proposed Standard >>>>> Starting point: <draft-richer-oauth-introspection-04> >>>>> >>>>> Jan 2015 Submit 'OAuth Authentication' to the IESG for >>>>> consideration as >>>>> a Proposed Standard >>>>> Starting point: <draft-hunt-oauth-v2-user-a4c-01> >>>>> >>>>> Jan 2015 Submit 'Token Exchange' to the IESG for consideration >>>>> as a >>>>> Proposed Standard >>>>> Starting point: <draft-jones-oauth-token-exchange-00> >>>>> >>>>> ----- >>>>> >>>>> We also updated the charter text to reflect the current >>>>> situation. Here >>>>> is the proposed text: >>>>> >>>>> ----- >>>>> >>>>> Charter for Working Group >>>>> >>>>> >>>>> The Web Authorization (OAuth) protocol allows a user to grant a >>>>> third-party Web site or application access to the user's protected >>>>> resources, without necessarily revealing their long-term >>>>> credentials, >>>>> or even their identity. For example, a photo-sharing site that >>>>> supports OAuth could allow its users to use a third-party >>>>> printing Web >>>>> site to print their private pictures, without allowing the >>>>> printing >>>>> site to gain full control of the user's account and without >>>>> having the >>>>> user share his or her photo-sharing sites' long-term >>>>> credential with >>>>> the printing site. >>>>> >>>>> The OAuth 2.0 protocol suite encompasses >>>>> >>>>> * a protocol for obtaining access tokens from an authorization >>>>> server with the resource owner's consent, >>>>> * protocols for presenting these access tokens to resource server >>>>> for access to a protected resource, >>>>> * guidance for securely using OAuth 2.0, >>>>> * the ability to revoke access tokens, >>>>> * standardized format for security tokens encoded in a JSON format >>>>> (JSON Web Token, JWT), >>>>> * ways of using assertions with OAuth, and >>>>> * a dynamic client registration protocol. >>>>> >>>>> The working group also developed security schemes for presenting >>>>> authorization tokens to access a protected resource. This led >>>>> to the >>>>> publication of the bearer token, as well as work that remains >>>>> to be >>>>> completed on proof-of-possession and token exchange. >>>>> >>>>> The ongoing standardization effort within the OAuth working >>>>> group will >>>>> focus on enhancing interoperability and functionality of OAuth >>>>> deployments, such as a standard for a token introspection >>>>> service and >>>>> standards for additional security of OAuth requests. >>>>> >>>>> ----- >>>>> >>>>> Feedback appreciated. >>>>> >>>>> Ciao >>>>> Hannes & Derek >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Ping Identity logo <https://www.pingidentity.com/> >>>>> Brian Campbell >>>>> Portfolio Architect >>>>> @ bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> >>>>> phone +1 720.317.2061 >>>>> Connect with us... >>>>> twitter logo <https://twitter.com/pingidentity> youtube logo >>>>> <https://www.youtube.com/user/PingIdentityTV> LinkedIn logo >>>>> <https://www.linkedin.com/company/21870> Facebook logo >>>>> <https://www.facebook.com/pingidentitypage> Google+ logo >>>>> <https://plus.google.com/u/0/114266977739397708540> slideshare >>>>> logo <http://www.slideshare.net/PingIdentity> flipboard logo >>>>> <http://flip.it/vjBF7> rss feed icon >>>>> <https://www.pingidentity.com/blogs/> >>>>> >>>>> Register for Cloud Identity Summit 2014 | Modern Identity >>>>> Revolution | 19--23 July, 2014 | Monterey, CA >>>>> <https://www.cloudidentitysummit.com/> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> -- >> <XeC.html> <http://connect.me/gffletch> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Milestone Update and Rechartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Bill Mills
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… George Fletcher
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anil Saldhana
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Paul Madsen
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Prateek Mishra
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell