IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

George Fletcher <gffletch@aol.com> Mon, 02 February 2009 13:47 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FC5528C215; Mon, 2 Feb 2009 05:47:45 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7459128C215 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 05:47:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-ArOi0LsYk0 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 05:47:43 -0800 (PST)
Received: from imo-d05.mx.aol.com (imo-d05.mx.aol.com [205.188.157.37]) by core3.amsl.com (Postfix) with ESMTP id 60BB128C1EF for <oauth@ietf.org>; Mon, 2 Feb 2009 05:47:42 -0800 (PST)
Received: from GFFletch@aol.com by imo-d05.mx.aol.com (mail_out_v39.1.) id j.cb5.4d963fc8 (37583); Mon, 2 Feb 2009 08:47:13 -0500 (EST)
Received: from C0A80169.tipt.aol.com ([10.172.1.80]) by cia-mb05.mx.aol.com (v121_r5.5) with ESMTP id MAILCIAMB058-92cf4986f95521c; Mon, 02 Feb 2009 08:47:02 -0500
Message-ID: <4986F954.1090001@aol.com>
Date: Mon, 02 Feb 2009 08:47:00 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net>
In-Reply-To: <033101c98303$e6fde7f0$0201a8c0@nsnintra.net>
X-AOL-IP: 10.172.1.80
X-Mailer: Unknown (No Version)
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

Not wanting to start a huge debate... but within the OAuth community 
we've made the distinction between Authentication and Authorization, 
with OAuth being an API Authorization protocol and leaving 
Authentication out of scope.

Is this charter planning to tackle authentication as well as 
authorization? The statement...
> OAuth consist of:
>   * A mechanism for exchanging a user's credentials for a token-secret pair
>   
has me a little confused.  I would word this as...

* A mechanism that allows a user to authorize API access via a 
token-secret pair

Thanks,
George


Hannes Tschofenig wrote:
> Hi all, 
>
> After a chat with Lisa I got in touch with Eran to slightly revise the
> charter text that Sam and Mark put together for the last IETF meeting.
>
> It should addresses some of the comments provided during the BOF. Your
> feedback is welcome. 
>
> Ciao
> Hannes
>
> -------------------------------------
>
> Open Authentication Protocol (oauth)
>
> Last Modified: 2009-01-30
>
> Chair(s):
>
> TBD
>
> Applications Area Director(s):
>
> Chris Newman <chris.newman@sun.com> 
> Lisa Dusseault <lisa@osafoundation.org> 
>
> Applications Area Advisor:
>
> TBD
>
> Mailing Lists:
>
> https://www.ietf.org/mailman/listinfo/oauth
>
> Description of Working Group:
>
> OAuth allows a user to grant a third-party Web site or application access to
> their resources, without revealing their credentials, or even their
> identity. For example, a photo-sharing site that supports OAuth would allow
> its users to use a third-party printing Web site to access their private
> pictures, without gaining full control of the user account.
>
> OAuth consist of:
>   * A mechanism for exchanging a user's credentials for a token-secret pair
> which can be used by a third party to access resources on their behalf
>   * A mechanism for signing HTTP requests with the token-secret pair
>
> The Working Group will produce one or more documents suitable for
> consideration as Proposed Standard, based upon the OAuth I-D, that will:
>   * Align OAuth with the Internet and Web architectures, best practices and
> terminology
>   * Assure good security practice, or document gaps in its capabilities
>   * Promote interoperability
>
> This specifically means that as a starting point for the working group the
> OAuth 1.0 specification is used and the  
> available extension points are going to be utilized. It seems desireable to
> profile OAuth 1.0 in a way that produces a specification that is a backwards
> compatible profile, i.e. any OAUTH 1.0 and the specification produced by
> this group must support a basic set of features to guarantee
> interoperability. 
>
> Furthermore, Oauth 1.0 defines three signature methods used to protect
> requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on
> new signature methods in case the existing mechanisms do not fulfill the
> security requirements. Existing signature methods will not be modified but
> may be dropped as part of the backwards compatible profiling activity.
>
> In doing so, it should consider:
>   * Implementer experience
>   * Existing uses of OAuth
>   * Ability to achieve broad impementation
>   * Ability to address broader use cases than may be contemplated by the
> original authors
>   * Impact on the Internet and Web
>
> The Working Group is not tasked with defining a generally applicable HTTP
> Authentication mechanism (i.e., browser-based "2-leg" scenerio), and should
> consider this work out of scope in its discussions. However, if the
> deliverables are able to be factored in such a way that this is a byproduct,
> or such a scenario could be addressed by additional future work, the Working
> Group may choose to do so.
>
> After delivering OAuth, the Working Group MAY consider defining additional
> functions and/or extensions, for example 
> (but not limited to):
>   * Discovery of authentication configuration
>   * Message integrity
>   * Recommendations regarding the structure of the token 
>
> Goals and Milestones:
>
> 12/2009     Submit document(s) suitable for publication as standards-track
> RFCs.
>
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>   
_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email