IETF Logo Mail Archive

Re: [OAUTH-WG] proposed agenda for second interim meeting

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 03 February 2010 17:59 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28B253A6C8D for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 09:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N92kzjMS5kQk for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 09:59:37 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id B0E553A6845 for <oauth@ietf.org>; Wed, 3 Feb 2010 09:59:37 -0800 (PST)
Received: (qmail 30752 invoked from network); 3 Feb 2010 18:00:18 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 3 Feb 2010 18:00:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 3 Feb 2010 10:59:51 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 03 Feb 2010 10:59:36 -0700
Thread-Topic: [OAUTH-WG] proposed agenda for second interim meeting
Thread-Index: Acqk+GTD3Fgg3tIrSti5TxHikacRXQAALyMA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2BE2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4B69066C.5050809@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2A70@P3PW5EX1MB01.EX1.SECURESERVER.NET> <62C93B79-9FF8-4D26-B1A7-7A79C122CC0E@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2B78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A08279DC79B11C48AD587060CD93977112D4DE2C@TK5EX14MBXC103.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723437DFBA2BB7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <371693C7-5694-4E30-87EF-B8859B72D437@gmail.com>
In-Reply-To: <371693C7-5694-4E30-87EF-B8859B72D437@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 17:59:39 -0000

I read the minutes.

I don't need to be on the call to present my views on how to proceed. That's not how the IETF operates. I have been expressing my views for the past year, right here on the list. I didn't see any consensus call from the chairs about taking this approach (instead of others).

I also noticed the lack of follow up since the call with any kind of discussion on use cases.

I have asked the chairs to provide a place to discuss technical issues and that is what this second call is about. Unless the chairs decide to change it.

EHL

> -----Original Message-----
> From: Dick Hardt [mailto:dick.hardt@gmail.com]
> Sent: Wednesday, February 03, 2010 9:43 AM
> To: Eran Hammer-Lahav
> Cc: Anthony Nadalin; OAuth WG
> Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
> 
> Eran,
> 
> Both Tony and I are explaining to you what happened on the call. If you had
> been on the call, you could have presented your view on how to proceed
> with the calls.
> While you may have a different opinion on how to proceed (which I am NOT
> arguing with), arguing with us on what happened on the call seems pointless.
> 
> -- Dick
> 
> On 2010-02-03, at 9:34 AM, Eran Hammer-Lahav wrote:
> 
> > Hi Anthony,
> >
> > The problem with this approach is that it hasn't worked (multiple times)
> before because no one ever wants to do the work of collecting and writing
> the use cases. What we get instead are short cryptic lists and pointers to
> edge cases. We have a good grasp on how OAuth 1.0 is used and its
> limitations as addressed by the WRAP draft.
> >
> > The best use of my time is to continue working on the drafts and asking
> technical questions whenever a decision is needed. If and when someone
> writes use cases, I will review those and see if they are supported by the
> drafts.
> >
> > I will leave it up to the chairs to decide how they want to guide the working
> group.
> >
> > EHL
> >
> >> -----Original Message-----
> >> From: Anthony Nadalin [mailto:tonynad@microsoft.com]
> >> Sent: Wednesday, February 03, 2010 9:02 AM
> >> To: Eran Hammer-Lahav; Dick Hardt
> >> Cc: OAuth WG
> >> Subject: RE: [OAUTH-WG] proposed agenda for second interim meeting
> >>
> >> I would tend to agree with Dick based upon the last call and where
> >> that was heading. I believe that Eve had some use cases to share
> >> around UMA
> >>
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >> Behalf Of Eran Hammer-Lahav
> >> Sent: Wednesday, February 03, 2010 8:41 AM
> >> To: Dick Hardt
> >> Cc: OAuth WG
> >> Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
> >>
> >> Has anyone gathered and reviewed use cases? I haven't seen much of
> >> that showing up on the list. From my experience, asking people for
> >> use cases rarely works, unless someone is willing to do the work and
> >> collect them (and so far I haven't heard from such volunteer). I much
> >> prefer the process in which we produce a technical document based on
> >> OAuth 1.0 and the new requirements as defined by WRAP, and discuss
> >> use cases as a property of the technical attributes of this draft.
> >>
> >> Of course, you don't have to agree with me, but that puts the burden
> >> of producing use cases documentation on you and others interested in
> >> taking that approach. We certainly have room for both, and keep in
> >> mind that my token draft is not (yet) a working group item.
> >>
> >> The indication I received from many of the active members of this
> >> list is that we have a strong desire to show up at Anaheim with two
> >> stable drafts. I think we are very close to getting the
> >> authentication piece done following much of OAuth 1.0 functionality
> >> (only cleaner and better structures), as well as treating bearer
> >> tokens as first class citizens. Given that no one has started a
> >> discussion about the delegation flows to include, I doubt we will
> >> have a stable second draft, but I plan on getting the authentication piece
> stable in time.
> >>
> >> It has also been my experience over the past two years that the
> >> biggest challenge is to figure out the authentication piece. The 'go
> >> get a token' piece tends to be much easier to agree on. If we get the
> >> authentication draft to a stable place, my intention is to leave it
> >> there and focus on the second part and come back to it as the
> >> delegation requirements become clearer (if changes are needed). But at
> least it gives us something stable to build upon.
> >>
> >> EHL
> >>
> >>> -----Original Message-----
> >>> From: Dick Hardt [mailto:dick.hardt@gmail.com]
> >>> Sent: Wednesday, February 03, 2010 7:02 AM
> >>> To: Eran Hammer-Lahav
> >>> Cc: Peter Saint-Andre; OAuth WG
> >>> Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting
> >>>
> >>> Hi Eran
> >>>
> >>> I think it is a little early in our phone discussions to get into technical
> details.
> >>> The next step according to the last call was to gather and review use
> cases.
> >>> Without rough consensus on what problem we are solving, your points
> >>> below (which all do need to be discussed at some point) is just
> >>> moving around deck chairs on the Titanic.
> >>>
> >>> -- Dick
> >>>
> >>> On 2010-02-02, at 11:24 PM, Eran Hammer-Lahav wrote:
> >>>
> >>>> Please add:
> >>>>
> >>>> - Discuss Adobe's recent request to allow excluding the host/port
> >>>> from the
> >>> signed message.
> >>>>
> >>>> - With regards to #4, how should the challenge identify the token
> >>>> to be
> >>> used (realm comes free, do we need another)?
> >>>>
> >>>> - Should a single token support multiple signature algorithms? This
> >>>> has
> >>> implications as to the information the client has to include with
> >>> the request (the algorithm used, etc.).
> >>>>
> >>>> - Where should the token structure live? OAuth 1.0 includes two
> >>>> response
> >>> parameters (token and token_secret). However, since we are now
> >>> moving towards having the algorithm part of the token definition, as
> >>> well as duration and other attributes, the server will need to
> >>> provide this information to the client. This calls for a simple
> >>> schema (can be any format but need to agree to consistent names). It
> >>> is currently part of the authorization/delegation draft
> >>> (implicitly), but we should discuss moving it to the authentication
> >>> draft since that's where it is used (the
> >> authorization draft simply hands those "things"
> >>> out).
> >>>>
> >>>> EHL
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >>>>> Behalf Of Peter Saint-Andre
> >>>>> Sent: Tuesday, February 02, 2010 9:15 PM
> >>>>> To: OAuth WG
> >>>>> Subject: [OAUTH-WG] proposed agenda for second interim meeting
> >>>>>
> >>>>> <hat type='chair'/>
> >>>>>
> >>>>> At the first interim meeting, we didn't get through our agenda:
> >>>>>
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg01013.html
> >>>>>
> >>>>> Therefore I propose that this time we focus on some unfinished
> >>>>> business, starting with the topic of authentication. I have
> >>>>> reviewed all of the related threads on the list and have come up
> >>>>> with the following
> >>> *rough* agenda.
> >>>>> Your feedback is welcome to improve this (a.k.a. "agenda
> >>>>> bashing") either on the list or during the meeting.
> >>>>>
> >>>>> For logistics information, see here:
> >>>>>
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg01085.html
> >>>>>
> >>>>> ******
> >>>>>
> >>>>> AGENDA
> >>>>>
> >>>>> Base proposal: draft-ietf-oauth-authentication-01
> >>>>>
> >>>>> Eran had hoped to push out a new version in time for our meeting,
> >>>>> but hasn't been able to get to it yet. However, I think we can
> >>>>> continue to move forward with discussion. Feedback is welcome on
> >>>>> the general approach, as well as specific open issues.
> >>>>>
> >>>>> Open issues....
> >>>>>
> >>>>> Issue #1: Request Signing vs. API Signing vs. Message Signing
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg00961.html
> >>>>>
> >>>>> 1a. Seeming consensus for message signing.
> >>>>>
> >>>>> 1b. No consensus yet on message format.
> >>>>>   - JSON and textual key-value seem to be the leading candidates.
> >>>>>
> >>>>> 1c. Seeming consensus for multiple/extensible signature algorithms.
> >>>>>   - HMAC-SHA1
> >>>>>   - HMAC-SHA256
> >>>>>   - RSASSA-PKCS1-v1.5-SHA256
> >>>>>   - PLAIN over SSL/TLS
> >>>>>
> >>>>> But: which of these are Mandatory-to-Implement?
> >>>>>
> >>>>> Issue #2: Include the Normalized Request with the Request?
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg00962.html
> >>>>>
> >>>>> Seeming consensus to not include the normalized request (e.g.,
> >>>>> signature string).
> >>>>>
> >>>>> Issue #3: Allow Secrets in Cleartext, or Require Channel Encryption?
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg00963.html
> >>>>>
> >>>>> Seeming consensus that channel encryption is must-implement
> (which
> >>>>> does not necessarily mean must-deploy).
> >>>>>
> >>>>> Issue #4: Authentication Challenges
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg01039.html
> >>>>>
> >>>>> If an authentication (access) request is unacceptable, how does
> >>>>> the server tell the client how it can provide proper credentials
> >>>>> (e.g., by using a different algorithm)?
> >>>>>
> >>>>> Possible other topics:
> >>>>>
> >>>>> - Mutual auth?
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg00935.html
> >>>>>
> >>>>> - Resource authorization?
> >>>>> http://www.ietf.org/mail-
> archive/web/oauth/current/msg01033.html
> >>>>>
> >>>>> ******
> >>>>>
> >>>>> /psa
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email