It has been a long time since we touched base as a community to check where we are and where we want to go. The last time we got together for such a discussion was at the OAuth Summit back in June. This is in no way an official update, as I hold no official capacity within the community. But I hope this is informational and useful.
--- * OAuth @ the IETF Larry Halff, Blaine Cook, and I had conversations with folks from the IETF community over the past few months. These resulted in an IETF BoF session at the 73rd IETF meeting in MN last month. The BoF tried to answer two questions: 1. Is the problem of delegated auth as presented in the sharing of passwords across sites something the IETF community cares about and wants to work on? 2. If the answer to #1 is yes, is OAuth a good protocol to use as a starting point for solving it ("starting point" does not imply anything regarding the amount of changes)? The answer to both questions was a strong yes from those present at the meeting. The outcome of the meeting was to form the new oa...@ietf.org mailing list and to work on the proposed WG charter, hopefully in time for the next IETF meeting (74th, March 09 in CA). The main issue which needs to be resolved now is the "backward compatibility" language of the charter. The current OAuth spec has been submitted as an internet draft and is available at http://tools.ietf.org/html/draft-hammer-oauth-00. Note that the only official spec at this point is located at http://oauth.net/core/1.0. * OAuth IPR The OAuth Core 1.0 specification IPR license has been completed with a license attached to the spec (http://oauth.net/core/1.0) and signatures collected from all contributors. However, we were unable to come up with a satisfactory IPR policy for new work moving forward. Much of this effort has moved over to the work of the Open Web Foundation, which is currently discussing an IPR policy that will provide the OAuth community with a workable solution. At this point, proposals made with regard to OAuth do not have a clear IPR policy attached, and each author must choose how to address that. The IETF process, if successful, will produce a specification covered by the IETF IPR policy, but that is extremely weak. It may not block adoption but it offers much less protection than the current OAuth license. * Extensions There are currently 11 proposed OAuth extension. For the most part these are individual efforts with little community support or interest. Part of the work involved in writing the IETF charter and standardizing OAuth there is to figure out which of these extensions fit within the IETF core spec, which should be published as separate IETF standards, and which should remain as an individual effort. The current proposals are (available from http://code.google.com/p/oauth): - OAuth Discovery - Body Hash - Body Signature - Consumer Request - Gadgets - Key Rotation - Language Preference - Response Data Format - Session - OpenID extension (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid _oauth_extension.html) - Mobile (http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-00) Other proposals not yet formalized include Token Attributes (access type, duration, scope), Token delegation (sharing tokens across multiple consumers), Header signatures (signing HTTP headers), and other security features. * Mailing Lists We currently have 3 OAuth mailing lists: - OAuth (oauth@googlegroups.com) - OAuth Extensions (oauth-extensi...@googlegroups.com) - OAuth IETF (oa...@ietf.org) There are also a few language-specific lists: - OAuth Ruby (http://groups.google.com/group/oauth-ruby) - OAuth PHP (http://groups.google.com/group/oauth-for-php) - OAuth Perl (http://groups.google.com/group/oauth-perl) (I will send a separate post about how we should use these lists moving forward). --- Other topics we should review as the year comes to a close are the status of: * Adoption * Tutorials and Documentations * Code Libraries If anyone is willing to write those up, please post in reply. Thanks and Happy Holidays! EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---