Thanks for getting this started. > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Blaine Cook > Sent: Wednesday, April 27, 2011 2:37 PM
> Description of Working Group > > The Open Web Authentication (OAuth) protocol allows a user to grant a > third-party Web site or application access to the user's protected resources, > without necessarily revealing their long-term credentials, or even their > identity. For example, a photo-sharing site that supports OAuth could allow > its users to use a third-party printing Web site to print their private > pictures, > without allowing the printing site to gain full control of the user's account. Please just call it OAuth and drop the silly 'Open Web Authentication' name. If you must, replace is with 'Web Authorization Protocol', and in no way keep the word 'Open'. > OAuth consists of > * a mechanism for a user to authorize issuance of credentials that > a third party can use to access resources on the user's behalf and > * a mechanism for using the issued credentials to authenticate > HTTP requests. > > In April 2010 the OAuth 1.0 specifcation, documenting pre-IETF work, was > published as an informational document (RFC 5849). The working group has > since been developing OAuth 2.0, a standards-track version that will reflect > IETF consensus. Version 2.0 will consider the implementation experience > with version 1.0, and will This should include a reference to WRAP given that 2.0 is a direct result of the combination of 1.0 and WRAP. I would also like this charter to limit the scope of the 2.0 protocol to that of the combined 1.0 RFC and WRAP. I'm pretty sure we're set to deliver exactly that. > * improve the terminology used, > * consider broader use cases, I think we're done considering. Please drop this. > * embody good security practices, > * improve interoperability, and > * provide guidelines for extensibility. > > The working group will develop authentication schemes for peers/servers > taking part in OAuth (accessing protected resources). > This includes > > * an HMAC-based authentication mechanism [to the extent that the OAuth > wg produces specifications that could be used more generally for HTTP > authentication, the WG will work with the security and applications area > directors to ensure that this work gets appropriate review, e.g. via > additional > last calls in other relevant working groups such as httpbis], I might have an issue with placing this work primarily within this WG. It belongs equally between HTTPbis, HTTP-State, and OAuth. The upcoming revision of this draft moves the OAuth bits into a smaller section, and is mostly focused on a general purpose MAC authentication scheme. The new draft includes two bindings: HTTP Cookies and OAuth 2.0. So far this WG has proved pretty irrelevant in helping move this work forward. This is especially true for the audience needed for the new bits. > * a specification for access protected by Transport Layer Security (bearer > tokens), > > * an extension to OAuth 2.0 to allow access tokens to be > requested when a client is in possession of a SAML assertion. > > A separate informational description will be produced to provide additional > security analysis for audiences beyond the community protocol > implementers. > > Milestones will be added for the later items after the near-term work has > been completed. > > Goals and Milestones > May 2011 Submit 'HTTP Authentication: MAC Authentication' as a > working group item See above. > May 2011 Submit 'OAuth 2.0 Threat Model and Security Considerations' > as a working group item > > Jul 2011 Submit 'The OAuth 2.0 Authorization Protocol' to the > IESG for consideration as a Proposed Standard > > Jul 2011 Submit 'HTTP Authentication: MAC Authentication' to the > IESG for consideration as a Proposed Standard > > Aug 2011 Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the > IESG for consideration as a Proposed Standard > > Oct 2011 Submit 'SAML 2.0 Bearer Assertion Grant Type Profile for > OAuth 2.0' to the IESG for consideration as a Proposed Standard > > Nov 2011 Prepare re-chartering I would like this removed. I would like to see this WG closed when this list is complete and if there is further work with enough interest, a new working group can be created. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
