IETF Logo Mail Archive

[oauth] OAuth Charter Text (15th April 2009)

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Wed, 15 April 2009 07:50 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59B863A6986 for <oauth@core3.amsl.com>; Wed, 15 Apr 2009 00:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.359
X-Spam-Level:
X-Spam-Status: No, score=-2.359 tagged_above=-999 required=5 tests=[AWL=0.240, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57ue3VRcfRXX for <oauth@core3.amsl.com>; Wed, 15 Apr 2009 00:50:05 -0700 (PDT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id DD98E3A6A69 for <oauth@ietf.org>; Wed, 15 Apr 2009 00:50:04 -0700 (PDT)
Received: (qmail invoked by alias); 15 Apr 2009 07:51:16 -0000
Received: from unknown (EHLO 4FIL42860) [192.100.124.156] by mail.gmx.net (mp035) with SMTP; 15 Apr 2009 09:51:16 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+n5fR+Y4mnwYJfSgOgl0NZqmxRiu7Yys262zAoJs 3qj9mKsX40UyI+
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: oauth@ietf.org
Date: Wed, 15 Apr 2009 10:52:43 +0300
Message-ID: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acm9nyhoDPiyix7qRrGaHaXXdIB9rQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.54
Cc: Adrian.Farrel@huawei.com
Subject: [oauth] OAuth Charter Text (15th April 2009)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 07:50:06 -0000

Open Authentication Protocol (oauth)

Last Modified: 2009-04-15

Chair(s):

TBD

Applications Area Director(s):

Alexey Melnikov <alexey.melnikov@isode.com>
Lisa Dusseault <lisa@osafoundation.org> 

Applications Area Advisor:

TBD

Mailing Lists:

https://www.ietf.org/mailman/listinfo/oauth

Description of Working Group:

OAuth allows a user to grant a third-party Web site or application access to
the user's resources, without necessarily revealing the user's credentials,
or even the user's identity. For example, a photo-sharing site that supports
OAuth would allow its users to use a third-party printing Web site to access
the user's private pictures, without gaining full control of the user
account.

OAuth consists of:
  * A mechanism for exchanging a user's credentials for a token-secret pair,
which can be used by a third party to access resources on the user's behalf.
  * A mechanism for signing HTTP requests with the token-secret pair.

The Working Group will produce one or more documents suitable for
consideration as Proposed Standard that will:
  * Improve the terminology used.
  * Embody good security practice, or document gaps in its capabilities, and
propose a path forward for addressing the gaps.
  * Promote interoperability.
  * Provide guidelines for extensibility.

This specifically means that as a starting point for the working group OAuth
1.0 (i.e., draft-hammer-oauth-00.txt), which is a copy of the original OAuth
specification in IETF draft format, is used and the available extension
points are going to be utilized. In completing its work to profile OAuth 1.0
to become OAuth 1.1, the group will strive to retain backward compatibility
with the OAuth 1.0 specification. However, changes that are not backward
compatible might be accepted if the group determines that the changes are
required to meet the group's technical objectives and the group clearly
documents the reasons for making them.

Furthermore, OAuth 1.0 defines three signature methods used to protect
requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on
new signature methods and will describe the environments where new security
requirements justify their usage. Existing signature methods will not be
modified, but may be dropped as part of the backward compatible profiling
activity. The applicability of existing and new signature methods to
protocols other than HTTP will be investigated.

The Working Group should consider:
  * Implementer experience.
  * The end-user experience, including internationalization.
  * Existing uses of OAuth.
  * Ability to achieve broad implementation.
  * Ability to address broader use cases than may be contemplated by the
original authors.

After delivering OAuth 1.1, the Working Group may consider defining
additional functions and/or extensions, for example (but not limited to):
 * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0.
 * Comprehensive message integrity, e.g.,
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html.
 * Recommendations regarding the structure of the token.
 * Localization, e.g.,
http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp
ec.html.
 * Session-oriented tokens, e.g.,
http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html.
 * Alternate token exchange profiles, e.g.,
draft-dehora-farrell-oauth-accesstoken-creds-00.

The work on extensions is within the scope of the working group charter, but
requires consensus within the group to add new milestones. 

The Working Group will also define a generally applicable HTTP
authentication mechanism (i.e., browser-based "2-leg" scenario).

Goals and Milestones:

Apr 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' as
working group item
            (draft-hammer-oauth will be used as a starting point for further
work.)
Jul 2009    Submit a document as a working group item providing the
functionality of the 2-legged HTTP authentication mechanism 
Jul 2009    Start of discussion about OAuth extensions the group should work
on
Oct 2009    Start Working Group Last Call on 'OAuth: HTTP Authorization
Delegation Protocol'
Nov 2009    Submit 'OAuth: HTTP Authorization Delegation Protocol' to the
IESG for consideration as a Proposed Standard 
Nov 2009    Start Working Group Last Call on the 2-legged HTTP
authentication mechanism document
Nov 2009    Prepare milestone update to start new work within the scope of
the charter
Dec 2009    Submit 2-legged HTTP authentication mechanism document to the
IESG for consideration as a Proposed Standard

v2.23.0 | Report a Bug | By Email