IETF Logo Mail Archive

[oauth] Draft minutes for the oauth bof

Sam Hartman <hartmans-ietf@mit.edu> Mon, 01 December 2008 14:07 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC6C13A6A27; Mon, 1 Dec 2008 06:07:03 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 733683A6A18 for <oauth@core3.amsl.com>; Mon, 1 Dec 2008 06:07:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.735
X-Spam-Level:
X-Spam-Status: No, score=-1.735 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_74=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eN-VQJIVb9nS for <oauth@core3.amsl.com>; Mon, 1 Dec 2008 06:07:01 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id 3664A3A6A27 for <oauth@ietf.org>; Mon, 1 Dec 2008 06:07:01 -0800 (PST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4E3384268; Mon, 1 Dec 2008 09:06:37 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: oauth@ietf.org
Date: Mon, 01 Dec 2008 09:06:37 -0500
Message-ID: <tsltz9oq9aq.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Subject: [oauth] Draft minutes for the oauth bof
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

When I try and upload these through the tool, it creates empty
minutes.

I'm going to submit them manually, but meanwhile, here are my minutes of the BOF.

I trimmed some of the discussion about backward compatibility; I
believe that I included representative points from all sides, but not
a full transcript.  If you feel there are important aspects of the
discussion that are not covered or otherwise believe the minutes
should be improved, please let Mark and I kno. 


Oauth BOF minutes
November 17, 2008 1300-1500
Chairs: Sam Hartman and Mark Nottingham
scribe: Ted Hardie

Larry Half and Blake Cook gave a use case presentation describing the
problem that oauth solves and how it came about.  The primary problem
oauth solves is delegating access to resources held at a service
provider to consumers of a resource under the control of a user.
Typically today, this is done using passwords.  However as sites adopt
other authentication mechanisms, they may not have a password to give
out.  Oauth arose to solve this need.

The presentation also presented a use case where oauth is used to
control access to information private to some consumer.

    eric Rescorla (ekr): Is this the same as the standard web authentication problem?
    Larry: yes
The room discussed whether this was an interesting problem.

    Phillip Hallam-Baker (phb): This is interesting from the SAML,
      WS*, etc space; the critical issue is UI.  We need to work out how the
      user understands what they are doing.   He did not understand
      the UI in the presentation.  We should not take this on unless we
      handle the UI problem.

    ekr: This is a system not a protocol.  There is a method for
      granting delegated access to resources and technology for doing
      user web authentication.  The first is interesting. The second
      is not coupled to the first. 


        Hannes Tschofenig: This is an interesting problem.  Getting UI
      folks interested would be good, but the UI work should not block
      the other work.


    Dave Crocker: Yes, this is very interesting.Having UI folks look
      at this is separate expertise and separate work.


    Leif: This is interesting; the oauth group can help the IETF in this space.

    Jeff Hodges (jeffh): Yes, this is interesting.  UI should be separated.

    Bob Morgan (rlbob): This is interesting.  We're seeing this in the
      higher education area; we need a good security review and to be
      well integrated into larger architectures.
There is sufficient interest for work in this area; strong hum for, no opposed.

Eran Hammer gave a presentation on the oauth protocol describing its
flow.  About half to two thirds had read the spec before.


Stephen Farrell gave a presentation on implications he has run into
using oauth in a mobile environment.  Phones do not seem to support
the current oauth work flow. He would like to add a requirement that we support current phones.

Mark presented a proposed charter.  The charter assumes that the existing draft is a starting point for the work.



    Dave Crocker: The first paragraph needs to be improved to better
      introduce the problem.  He will volunteer to work on text.

    ekr: The problem is important but this charter is not a reasonable
      starting point.  There are three aspects to the proposal: an
      http handshake, set of mechanisms to pass tokens, and
      authentication mechanism.  This charter bakes in some
      connections between these three.  While we should not
      gratuitously break existing oauth, we should not bake in these
      connections.

Chairs would like to get comments on what level  of interoperability with oauth we need.

    phb: We'll inevitably make changes to parts.

    Stephan Wegner: The oauth webpage indicates that oauth is done and
      that the current work is extensions.  Is the IETF really getting
      change control here?  If we see a need to make a change, will
      people actually adopt it?  Eran: No one can speak for the entire
      community, but yes, we want oauth reviewed, and if problems are
      found, fixed.  If this charter is approved, most of the
      companies involved will have someone at the table involved in
      the consensus process.


    Pasi: It's unlikely that we will not need to make changes.  He favors oauth 1.1, not a clean slate.

    Stephen Farrell : also agrees with oauth 1.1 style


    lisa (as AD): No one expects bit-for-bit compatibility.  This is a
      big thing; a lot of people in the web community like it.  Code
      can change over time.


    ekr: Concerned about backward compatibility text in charter.  He
      thinks it may go too far and wants to know what it means.


    Pasi: There seem to be specific design requirements that went into
      the signature that may have to do with ease of implementation in
      certain environments.  these should be called out.



    Ted Hardie: There is something working in the wild; now you want
      to spec it out and standardize it.  You don't want gratuitous
      changes, but you will be part of the IETF if this work happens.
      You will be part of the group deciding what changes to make.


The chairs believed there may be a rough consensus in favor of trying
to develop an oauth 1.1, but the consensus was rather weak.  There
definitely is not a consensus to start fresh, but people seem to need
more information to make a decision on what level of compatibility is
required.


    Ted Hardie: Negotiation and extensibility will be important as changes are made.


Blocking issues in the charter:

Greg Lebobits wants us to commit to fixing security problems in some
possibly incremental time frame rather than simply documenting gaps.


Stephen Farrell  believes that the mobile use cases need to be discussed in the charter.
rlbob believes that negotiation is needed and has a blocker re/related to service discovery.

Ekr wants to understand what level of backward compatibility is required and what changes are acceptable.

Sam wants channel binding and mutual authentication as a security
option.  

Potential document authors:Jeff Hodges, Eran, Blain, Larry,
ekr, Hannes, Stephen Farrell, David Recordon

Dave Crocker would be willing to be considered as a chair.
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email