Although the IETF has been involved in Best Commercial Practices (BCP) (see https://www.ietf.org/rfc/bcp-index.txt ) which I think was the subject of Kevat's original email.
So perhaps this is a subject matter that could co-exist in both the IETF and W3C? From: OAuth <oauth-boun...@ietf.org> On Behalf Of Tim Cappalli Sent: Monday, August 9, 2021 4:06 PM To: kevats...@gmail.com Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Specifications for Identity Providers I don't think there is explicit ownership, but generally password and magic link type "stuff" happens in W3C. There are existing work efforts around standardizing password reset endpoint discovery, password complexity schemas, etc. _____ From: Kevat Shah <kevats...@gmail.com <mailto:kevats...@gmail.com> > Sent: Monday, August 9, 2021 16:03 To: Tim Cappalli <tim.cappa...@microsoft.com <mailto:tim.cappa...@microsoft.com> > Cc: oauth@ietf.org <mailto:oauth@ietf.org> <oauth@ietf.org <mailto:oauth@ietf.org> > Subject: Re: [OAUTH-WG] Specifications for Identity Providers You don't often get email from kevats...@gmail.com <mailto:kevats...@gmail.com> . Learn why this is important <http://aka.ms/LearnAboutSenderIdentification> That's a good point. Is it fair to assume that W3C owns the standards for most (if not all) standards related to Identity Providers? Or does it make sense for IETF to start setting these standards in cases where W3C standards don't exist? - Kevat On Mon, Aug 9, 2021, 2:56 PM Tim Cappalli <tim.cappa...@microsoft.com <mailto:tim.cappa...@microsoft.com> > wrote: I believe this topic would be more W3C scope, not IETF. tim _____ From: OAuth <oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org> > on behalf of Kevat Shah <kevats...@gmail.com <mailto:kevats...@gmail.com> > Sent: Sunday, August 8, 2021 16:37 To: oauth@ietf.org <mailto:oauth@ietf.org> <oauth@ietf.org <mailto:oauth@ietf.org> > Subject: [OAUTH-WG] Specifications for Identity Providers Some people who received this message don't often get email from kevats...@gmail.com <mailto:kevats...@gmail.com> . Learn why this is important <http://aka.ms/LearnAboutSenderIdentification> I propose that we expand upon specific functionality provided by Identity Providers (IdPs) and tasks handled by them. To start with, there should be clear specifications for various functionalities that IdPs provide such as: - Email verification on registration - Specifications regarding "forgot password" functionality - Specifications regarding "resest password" functionality for users that are logged in These specifications only pertain to Identity Providers, and allow an industry-wide set of rules that each Identity Provider must follow. The purpose of doing so would be to standardize various frequently used and implemented flows that are secure and widely reusable. Some problems that would be addressed by these specifications would be: - How to securely implement functionality where a user is sent a link to verify their email address - How to securely implement functionality where a user is sent a verification code to verify their email address - How to securely implement functionality where a user is sent a link to reset their password - How to securely implement functionality where a user is sent a verification code to reset their password
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
