[oauth] Draft minutes for the oauth bof
Sam Hartman <hartmans-ietf@mit.edu> Mon, 01 December 2008 14:07 UTC
Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC6C13A6A27; Mon, 1 Dec 2008 06:07:03 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 733683A6A18 for <oauth@core3.amsl.com>; Mon, 1 Dec 2008 06:07:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.735
X-Spam-Level:
X-Spam-Status: No, score=-1.735 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_74=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eN-VQJIVb9nS for <oauth@core3.amsl.com>; Mon, 1 Dec 2008 06:07:01 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id 3664A3A6A27 for <oauth@ietf.org>; Mon, 1 Dec 2008 06:07:01 -0800 (PST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4E3384268; Mon, 1 Dec 2008 09:06:37 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: oauth@ietf.org
Date: Mon, 01 Dec 2008 09:06:37 -0500
Message-ID: <tsltz9oq9aq.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Subject: [oauth] Draft minutes for the oauth bof
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org
When I try and upload these through the tool, it creates empty minutes. I'm going to submit them manually, but meanwhile, here are my minutes of the BOF. I trimmed some of the discussion about backward compatibility; I believe that I included representative points from all sides, but not a full transcript. If you feel there are important aspects of the discussion that are not covered or otherwise believe the minutes should be improved, please let Mark and I kno. Oauth BOF minutes November 17, 2008 1300-1500 Chairs: Sam Hartman and Mark Nottingham scribe: Ted Hardie Larry Half and Blake Cook gave a use case presentation describing the problem that oauth solves and how it came about. The primary problem oauth solves is delegating access to resources held at a service provider to consumers of a resource under the control of a user. Typically today, this is done using passwords. However as sites adopt other authentication mechanisms, they may not have a password to give out. Oauth arose to solve this need. The presentation also presented a use case where oauth is used to control access to information private to some consumer. eric Rescorla (ekr): Is this the same as the standard web authentication problem? Larry: yes The room discussed whether this was an interesting problem. Phillip Hallam-Baker (phb): This is interesting from the SAML, WS*, etc space; the critical issue is UI. We need to work out how the user understands what they are doing. He did not understand the UI in the presentation. We should not take this on unless we handle the UI problem. ekr: This is a system not a protocol. There is a method for granting delegated access to resources and technology for doing user web authentication. The first is interesting. The second is not coupled to the first. Hannes Tschofenig: This is an interesting problem. Getting UI folks interested would be good, but the UI work should not block the other work. Dave Crocker: Yes, this is very interesting.Having UI folks look at this is separate expertise and separate work. Leif: This is interesting; the oauth group can help the IETF in this space. Jeff Hodges (jeffh): Yes, this is interesting. UI should be separated. Bob Morgan (rlbob): This is interesting. We're seeing this in the higher education area; we need a good security review and to be well integrated into larger architectures. There is sufficient interest for work in this area; strong hum for, no opposed. Eran Hammer gave a presentation on the oauth protocol describing its flow. About half to two thirds had read the spec before. Stephen Farrell gave a presentation on implications he has run into using oauth in a mobile environment. Phones do not seem to support the current oauth work flow. He would like to add a requirement that we support current phones. Mark presented a proposed charter. The charter assumes that the existing draft is a starting point for the work. Dave Crocker: The first paragraph needs to be improved to better introduce the problem. He will volunteer to work on text. ekr: The problem is important but this charter is not a reasonable starting point. There are three aspects to the proposal: an http handshake, set of mechanisms to pass tokens, and authentication mechanism. This charter bakes in some connections between these three. While we should not gratuitously break existing oauth, we should not bake in these connections. Chairs would like to get comments on what level of interoperability with oauth we need. phb: We'll inevitably make changes to parts. Stephan Wegner: The oauth webpage indicates that oauth is done and that the current work is extensions. Is the IETF really getting change control here? If we see a need to make a change, will people actually adopt it? Eran: No one can speak for the entire community, but yes, we want oauth reviewed, and if problems are found, fixed. If this charter is approved, most of the companies involved will have someone at the table involved in the consensus process. Pasi: It's unlikely that we will not need to make changes. He favors oauth 1.1, not a clean slate. Stephen Farrell : also agrees with oauth 1.1 style lisa (as AD): No one expects bit-for-bit compatibility. This is a big thing; a lot of people in the web community like it. Code can change over time. ekr: Concerned about backward compatibility text in charter. He thinks it may go too far and wants to know what it means. Pasi: There seem to be specific design requirements that went into the signature that may have to do with ease of implementation in certain environments. these should be called out. Ted Hardie: There is something working in the wild; now you want to spec it out and standardize it. You don't want gratuitous changes, but you will be part of the IETF if this work happens. You will be part of the group deciding what changes to make. The chairs believed there may be a rough consensus in favor of trying to develop an oauth 1.1, but the consensus was rather weak. There definitely is not a consensus to start fresh, but people seem to need more information to make a decision on what level of compatibility is required. Ted Hardie: Negotiation and extensibility will be important as changes are made. Blocking issues in the charter: Greg Lebobits wants us to commit to fixing security problems in some possibly incremental time frame rather than simply documenting gaps. Stephen Farrell believes that the mobile use cases need to be discussed in the charter. rlbob believes that negotiation is needed and has a blocker re/related to service discovery. Ekr wants to understand what level of backward compatibility is required and what changes are acceptable. Sam wants channel binding and mutual authentication as a security option. Potential document authors:Jeff Hodges, Eran, Blain, Larry, ekr, Hannes, Stephen Farrell, David Recordon Dave Crocker would be willing to be considered as a chair. _______________________________________________ oauth mailing list oauth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [oauth] Draft minutes for the oauth bof Stephen Farrell
- [oauth] Draft minutes for the oauth bof Sam Hartman