David says... > Hey Barry, I'm confused. This thread is full of comments. Is there an > updated charter which addresses them?
Well, your earlier message doesn't suggest any changes, nor does Dick's. Thomas's does, but he retracted them after he understood the purpose of this rechartering (see below). So there aren't as many comments in this thread as you think. I did, however miss Eran's comments (so sorry!), but I think Hannes picked those up in his update, posted after mine. Igor, on the use cases: The point of this rechartering is to focus tightly on getting the base protocol done Very Soon. I agree with you that a use-cases document would be great to publish, and if that's kept current with any new discussions here it should be easy to pop it out right away after the next recharter. But we (and the ADs) don't want to have any distractions from getting OAuth 2.0 out. I don't think this will really be an issue. If "use cases" is about ready to go, then it will go out very quickly afterward, and all will be well. For the ADs, I'm attaching Hannes's updated version of the charter for you to proceed with. Barry, as chair
Web Authorization Protocol Working Group Description of Working Group The Web Authorization (OAuth) protocol allows a user to grant a third-party Web site or application access to the user's protected resources, without necessarily revealing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing Web site to print their private pictures, without allowing the printing site to gain full control of the user's account. OAuth encompasses * a mechanism for a user to authorize issuance of credentials that a third party can use to access resources on the user's behalf and * a mechanism for using the issued credentials to authenticate HTTP requests. In April 2010 the OAuth 1.0 specification, documenting pre-IETF work, was published as an informational document (RFC 5849). The working group has since been developing OAuth 2.0, a standards-track version that will reflect IETF consensus. Version 2.0 will consider the implementation experience with version 1.0, a discovered security vulnerability (session fixation attack), the use cases and functionality proposed with OAuth WRAP [draft-hardt-oauth-01] and will * improve the terminology used, * consider broader use cases, * embody good security practices, * improve interoperability, and * provide guidelines for extensibility. The working group will develop authentication schemes for peers/servers taking part in OAuth (accessing protected resources). This includes * an HMAC-based authentication mechanism This document aims to provide a general purpose MAC authentication scheme that can be used both with OAuth 2.0 but also with other use case. The WG will work with the security and applications area directors to ensure that this work gets appropriate review, e.g. via additional last calls in other relevant working groups such as HTTPBIS], * a specification for access protected by Transport Layer Security (bearer tokens), * an extension to OAuth 2.0 to allow access tokens to be requested when a client is in possession of a SAML assertion. A separate informational description will be produced to provide additional security analysis for audiences beyond the community protocol implementers. Milestones will be added for the later items after the near-term work has been completed. Goals and Milestones May 2011 Submit 'HTTP Authentication: MAC Authentication' as a working group item May 2011 Submit 'OAuth 2.0 Threat Model and Security Considerations' as a working group item Jul 2011 Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for consideration as a Proposed Standard Jul 2011 Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for consideration as a Proposed Standard Aug 2011 Submit 'HTTP Authentication: MAC Authentication' to the IESG for consideration as a Proposed Standard Oct 2011 Submit 'SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0' to the IESG for consideration as a Proposed Standard Oct 2011 Re-chartering working group
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth