IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Brian Campbell <bcampbell@pingidentity.com> Wed, 14 May 2014 12:25 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 515121A006D for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 05:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSln8q553GC9 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 05:25:11 -0700 (PDT)
Received: from na3sys009aog125.obsmtp.com (na3sys009aog125.obsmtp.com [74.125.149.153]) by ietfa.amsl.com (Postfix) with ESMTP id D2A341A005F for <oauth@ietf.org>; Wed, 14 May 2014 05:25:10 -0700 (PDT)
Received: from mail-ig0-f180.google.com ([209.85.213.180]) (using TLSv1) by na3sys009aob125.postini.com ([74.125.148.12]) with SMTP ID DSNKU3NgoDRy6118jIWni+4763XGxpKTswIX@postini.com; Wed, 14 May 2014 05:25:04 PDT
Received: by mail-ig0-f180.google.com with SMTP id c1so1679020igq.13 for <oauth@ietf.org>; Wed, 14 May 2014 05:25:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=W95H42Att3oT9ScVDDXAUCvk99rQ3goYYi2xcoDE/Z8=; b=WWapx6z1wy1xYy4WwYmN0F5d3NfX30oGglkll3ME9WlSlXKIeYcaINwKfYGqzsnonD gDc4WcgRytWri+eeCpv2DFZ9PV9nN7aawhoHbnTRjP2trEnRGTWzKSlaZ4VSD9reEB8A fwCFcKwnjfKrqztsze9P4GNFMXsJ8TRo9B9+or3x90fC0ii63unKLEYETx/XRlTwq2pC Rm3+NvqDbybg5uW195pQ4UcXAZKnE/s63GXNoU199kuQgkTQ2C4ue/ZmVCV4XbbdkkZ4 pqewt+gqnRX/LGfjHaJcw25Z9Sndu5obVJVuQTkNJrkcHNSKvaiknafKLsl/Q883oj22 cjdg==
X-Gm-Message-State: ALoCoQkS4oxtd1t19uH6+F9+G8zCH8EiuAU7yCSoyaECEgIt/ABVudmvJmVyFmm7QiWjT+Om01MsX4h2YOE4zpOxrA0mR9IfjzKBW6SwCfUbbPfaELezn4+LcWph2Vk2oQzw4+AIA2JG
X-Received: by 10.43.62.204 with SMTP id xb12mr2808994icb.51.1400070303987; Wed, 14 May 2014 05:25:03 -0700 (PDT)
X-Received: by 10.43.62.204 with SMTP id xb12mr2808985icb.51.1400070303849; Wed, 14 May 2014 05:25:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.240.201 with HTTP; Wed, 14 May 2014 05:24:32 -0700 (PDT)
In-Reply-To: <536BF140.5070106@gmx.net>
References: <536BF140.5070106@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 14 May 2014 06:24:32 -0600
Message-ID: <CA+k3eCQN5TGSpQxEbO0n83+8JDVJrTHziVmkjzLUyXtgMQPG1A@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="bcaec51a8b1a1f348804f95b4524"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/x9775b9qp5o-XSnrpwdS7j7EZ_s
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 12:25:14 -0000

I would object to 'OAuth Authentication' being picked up by the WG as a
work item. The starting point draft has expired and it hasn't really been
discusses since Berlin nearly a year ago.  As I recall, there was only very
limited interest in it even then. I also don't believe it fits well with
the WG charter.

I would suggest the WG consider picking up 'OAuth Symmetric Proof of
Possession for Code Extension' for which there is an excellent starting
point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a
relativity simple security enhancement which addresses problems currently
being encountered in deployments of native clients.




On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net
> wrote:

> Hi all,
>
> you might have seen that we pushed the assertion documents and the JWT
> documents to the IESG today. We have also updated the milestones on the
> OAuth WG page.
>
> This means that we can plan to pick up new work in the group.
> We have sent a request to Kathleen to change the milestone for the OAuth
> security mechanisms to use the proof-of-possession terminology.
>
> We also expect an updated version of the dynamic client registration
> spec incorporating last call feedback within about 2 weeks.
>
> We would like you to think about adding the following milestones to the
> charter as part of the re-chartering effort:
>
> -----
>
> Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-richer-oauth-introspection-04>
>
> Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
> a Proposed Standard
> Starting point: <draft-hunt-oauth-v2-user-a4c-01>
>
> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-jones-oauth-token-exchange-00>
>
> -----
>
> We also updated the charter text to reflect the current situation. Here
> is the proposed text:
>
> -----
>
> Charter for Working Group
>
>
> The Web Authorization (OAuth) protocol allows a user to grant a
> third-party Web site or application access to the user's protected
> resources, without necessarily revealing their long-term credentials,
> or even their identity. For example, a photo-sharing site that
> supports OAuth could allow its users to use a third-party printing Web
> site to print their private pictures, without allowing the printing
> site to gain full control of the user's account and without having the
> user share his or her photo-sharing sites' long-term credential with
> the printing site.
>
> The OAuth 2.0 protocol suite encompasses
>
> * a protocol for obtaining access tokens from an authorization
> server with the resource owner's consent,
> * protocols for presenting these access tokens to resource server
> for access to a protected resource,
> * guidance for securely using OAuth 2.0,
> * the ability to revoke access tokens,
> * standardized format for security tokens encoded in a JSON format
>   (JSON Web Token, JWT),
> * ways of using assertions with OAuth, and
> * a dynamic client registration protocol.
>
> The working group also developed security schemes for presenting
> authorization tokens to access a protected resource. This led to the
> publication of the bearer token, as well as work that remains to be
> completed on proof-of-possession and token exchange.
>
> The ongoing standardization effort within the OAuth working group will
> focus on enhancing interoperability and functionality of OAuth
> deployments, such as a standard for a token introspection service and
> standards for additional security of OAuth requests.
>
> -----
>
> Feedback appreciated.
>
> Ciao
> Hannes & Derek
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
   [image: Ping Identity logo] <https://www.pingidentity.com/>
Brian Campbell
Portfolio Architect
  @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
logo] <https://www.facebook.com/pingidentitypage> [image: Google+
logo]<https://plus.google.com/u/0/114266977739397708540> [image:
slideshare logo] <http://www.slideshare.net/PingIdentity> [image: flipboard
logo] <http://flip.it/vjBF7> [image: rss feed
icon]<https://www.pingidentity.com/blogs/>
   [image: Register for Cloud Identity Summit 2014 | Modern Identity
Revolution | 19–23 July, 2014 | Monterey,
CA]<https://www.cloudidentitysummit.com/>

v2.14.0 | Report a Bug | By Email