Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
Brian Campbell <bcampbell@pingidentity.com> Wed, 14 May 2014 22:08 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B32C1A02D7 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 15:08:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvEVT6ITwG2p for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 15:08:10 -0700 (PDT)
Received: from na3sys009aog108.obsmtp.com (na3sys009aog108.obsmtp.com [74.125.149.199]) by ietfa.amsl.com (Postfix) with ESMTP id B2B041A02FA for <oauth@ietf.org>; Wed, 14 May 2014 15:08:09 -0700 (PDT)
Received: from mail-ie0-f180.google.com ([209.85.223.180]) (using TLSv1) by na3sys009aob108.postini.com ([74.125.148.12]) with SMTP ID DSNKU3PpQ2dKRonAQtdJl26/uPVHPzU8Vra8@postini.com; Wed, 14 May 2014 15:08:03 PDT
Received: by mail-ie0-f180.google.com with SMTP id as1so221825iec.11 for <oauth@ietf.org>; Wed, 14 May 2014 15:07:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=/Jh8zFGIwaRwVGEqsSZQf27xLVZfgfNBEol4GtMMWso=; b=BZ9BDMWD0XSA4kG6SZrUBs6Lunv2vEnmuI6xDYhtgRy37S7DOQUmK8JnaRqH5DwUXS aBtS2rzff3bVEzj4EdpX/pvWNHjfYS79rO9EIuNqKzLsyNH/UnwZ5nbPhQP8VknbMwvL SqmTO4Hz9KTQ77Vslz+nn8WVCIxY7N0w/EN90jdD9CnJ66miiQTF5Ja1OlPRbJ4MyonS 7/TGwBd6ZOCgFqxl26IKr6SnPkxmVaeT4L8vDW7I+A1I33QvOYrLNEmNSJuZKNgd25jK uwORbR7aWYDiRvV1bLtpQHvj7g0CfKOahD9mG/nJanjASwOpGYqJ7NMwqk0Wd8Lw0slP cntg==
X-Received: by 10.50.153.49 with SMTP id vd17mr8236796igb.40.1400104790823; Wed, 14 May 2014 14:59:50 -0700 (PDT)
X-Gm-Message-State: ALoCoQmNFiKCq2sQJ/x/DSBxCHY8RrGhI0B3AjrKGUgYIt7blW+Wn0uud1EBqQwSAauqioGlgWUPk/ZMMLCV1e+4GaJsFPebqFrsBJdkO7Ud+TGdGrNfNwWONNYjiZK22O9fixkz/eMn
X-Received: by 10.50.153.49 with SMTP id vd17mr8236782igb.40.1400104790616; Wed, 14 May 2014 14:59:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.240.201 with HTTP; Wed, 14 May 2014 14:59:20 -0700 (PDT)
In-Reply-To: <5bc620f21ba6446e8925476d4646bad5@BLUPR03MB309.namprd03.prod.outlook.com>
References: <536BF140.5070106@gmx.net> <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com> <60BC637A-FD8D-4C92-A94C-93F89E868CB9@ve7jtb.com> <5bc620f21ba6446e8925476d4646bad5@BLUPR03MB309.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 14 May 2014 15:59:20 -0600
Message-ID: <CA+k3eCSrGbsyBQPyopyj0N690Fq2LsYsGvkD3xHFpUUPL4e6Ow@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="089e014954beb17c3904f9634cc8"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/w_anptRrhtt6skacqQkOdtc17j0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 22:08:13 -0000
I did an implementation of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 last week. We are seeing growing demand for some kind of solution to the code callback interception attack. The industry needs a well documented standard solution. On Wed, May 14, 2014 at 3:16 PM, Anthony Nadalin <tonynad@microsoft.com>wrote: > Please list the implementstions > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley > *Sent:* Wednesday, May 14, 2014 10:59 AM > > *To:* Brian Campbell > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth Milestone Update and Rechartering > > > > I know a number of people implementing > > > > http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 > > > > Having it on a RFC track may make sense. > > > > I remain to be convinced that a4c ads anything other than confusion. > > > > If the WG wants to take it up it should be aligned with Connect. I think > there are more important things to spend time on. > > > > > Sent from my iPhone > > > On May 14, 2014, at 2:24 PM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > I would object to 'OAuth Authentication' being picked up by the WG as a > work item. The starting point draft has expired and it hasn't really been > discusses since Berlin nearly a year ago. As I recall, there was only very > limited interest in it even then. I also don't believe it fits well with > the WG charter. > > I would suggest the WG consider picking up 'OAuth Symmetric Proof of > Possession for Code Extension' for which there is an excellent starting > point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a > relativity simple security enhancement which addresses problems currently > being encountered in deployments of native clients. > > > > On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > Hi all, > > you might have seen that we pushed the assertion documents and the JWT > documents to the IESG today. We have also updated the milestones on the > OAuth WG page. > > This means that we can plan to pick up new work in the group. > We have sent a request to Kathleen to change the milestone for the OAuth > security mechanisms to use the proof-of-possession terminology. > > We also expect an updated version of the dynamic client registration > spec incorporating last call feedback within about 2 weeks. > > We would like you to think about adding the following milestones to the > charter as part of the re-chartering effort: > > ----- > > Nov 2014 Submit 'Token introspection' to the IESG for consideration as a > Proposed Standard > Starting point: <draft-richer-oauth-introspection-04> > > Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as > a Proposed Standard > Starting point: <draft-hunt-oauth-v2-user-a4c-01> > > Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a > Proposed Standard > Starting point: <draft-jones-oauth-token-exchange-00> > > ----- > > We also updated the charter text to reflect the current situation. Here > is the proposed text: > > ----- > > Charter for Working Group > > > The Web Authorization (OAuth) protocol allows a user to grant a > third-party Web site or application access to the user's protected > resources, without necessarily revealing their long-term credentials, > or even their identity. For example, a photo-sharing site that > supports OAuth could allow its users to use a third-party printing Web > site to print their private pictures, without allowing the printing > site to gain full control of the user's account and without having the > user share his or her photo-sharing sites' long-term credential with > the printing site. > > The OAuth 2.0 protocol suite encompasses > > * a protocol for obtaining access tokens from an authorization > server with the resource owner's consent, > * protocols for presenting these access tokens to resource server > for access to a protected resource, > * guidance for securely using OAuth 2.0, > * the ability to revoke access tokens, > * standardized format for security tokens encoded in a JSON format > (JSON Web Token, JWT), > * ways of using assertions with OAuth, and > * a dynamic client registration protocol. > > The working group also developed security schemes for presenting > authorization tokens to access a protected resource. This led to the > publication of the bearer token, as well as work that remains to be > completed on proof-of-possession and token exchange. > > The ongoing standardization effort within the OAuth working group will > focus on enhancing interoperability and functionality of OAuth > deployments, such as a standard for a token introspection service and > standards for additional security of OAuth requests. > > ----- > > Feedback appreciated. > > Ciao > Hannes & Derek > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > [image: Ping Identity logo] <https://www.pingidentity.com/> > > *Brian Campbell* > Portfolio Architect > > *@* > > bcampbell@pingidentity.com > > [image: phone] > > +1 720.317.2061 > > Connect with us… > > [image: twitter logo] <https://twitter.com/pingidentity>[image: youtube > logo] <https://www.youtube.com/user/PingIdentityTV>[image: LinkedIn logo]<https://www.linkedin.com/company/21870>[image: > Facebook logo] <https://www.facebook.com/pingidentitypage>[image: Google+ > logo] <https://plus.google.com/u/0/114266977739397708540>[image: > slideshare logo] <http://www.slideshare.net/PingIdentity>[image: > flipboard logo] <http://flip.it/vjBF7>[image: rss feed icon]<https://www.pingidentity.com/blogs/> > > [image: Register for Cloud Identity Summit 2014 | Modern Identity > Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] OAuth Milestone Update and Rechartering Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Bill Mills
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… George Fletcher
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anil Saldhana
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Paul Madsen
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Prateek Mishra
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Chuck Mortimore
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Justin Richer
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Anthony Nadalin
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… John Bradley
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Phil Hunt
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell
- Re: [OAUTH-WG] OAuth Milestone Update and Rechart… Brian Campbell