How would that work? Would we need to work with W3C to ensure conformity of standards?
On Mon, Aug 9, 2021, 4:11 PM <mich...@palage.com> wrote: > Although the IETF has been involved in Best Commercial Practices (BCP) > (see https://www.ietf.org/rfc/bcp-index.txt ) which I think was the > subject of Kevat’s original email. > > > > So perhaps this is a subject matter that could co-exist in both the IETF > and W3C? > > > > > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Tim Cappalli > *Sent:* Monday, August 9, 2021 4:06 PM > *To:* kevats...@gmail.com > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Specifications for Identity Providers > > > > I don't think there is explicit ownership, but generally password and > magic link type "stuff" happens in W3C. > > > > There are existing work efforts around standardizing password reset > endpoint discovery, password complexity schemas, etc. > ------------------------------ > > *From:* Kevat Shah <kevats...@gmail.com> > *Sent:* Monday, August 9, 2021 16:03 > *To:* Tim Cappalli <tim.cappa...@microsoft.com> > *Cc:* oauth@ietf.org <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Specifications for Identity Providers > > > > You don't often get email from kevats...@gmail.com. Learn why this is > important <http://aka.ms/LearnAboutSenderIdentification> > > That's a good point. Is it fair to assume that W3C owns the standards for > most (if not all) standards related to Identity Providers? Or does it make > sense for IETF to start setting these standards in cases where W3C > standards don't exist? > > > > - Kevat > > On Mon, Aug 9, 2021, 2:56 PM Tim Cappalli <tim.cappa...@microsoft.com> > wrote: > > I believe this topic would be more W3C scope, not IETF. > > > > tim > ------------------------------ > > *From:* OAuth <oauth-boun...@ietf.org> on behalf of Kevat Shah < > kevats...@gmail.com> > *Sent:* Sunday, August 8, 2021 16:37 > *To:* oauth@ietf.org <oauth@ietf.org> > *Subject:* [OAUTH-WG] Specifications for Identity Providers > > > > Some people who received this message don't often get email from > kevats...@gmail.com. Learn why this is important > <http://aka.ms/LearnAboutSenderIdentification> > > I propose that we expand upon specific functionality provided by Identity > Providers (IdPs) and tasks handled by them. > > > > To start with, there should be clear specifications for various > functionalities that IdPs provide such as: > > > > - Email verification on registration > > - Specifications regarding "forgot password" functionality > > - Specifications regarding "resest password" functionality for users that > are logged in > > > > > > These specifications only pertain to Identity Providers, and allow an > industry-wide set of rules that each Identity Provider must follow. The > purpose of doing so would be to standardize various frequently used and > implemented flows that are secure and widely reusable. > > > > > > > > Some problems that would be addressed by these specifications would be: > > > > - How to securely implement functionality where a user is sent a link to > verify their email address > > > > - How to securely implement functionality where a user is sent a > verification code to verify their email address > > > > - How to securely implement functionality where a user is sent a link to > reset their password > > > > - How to securely implement functionality where a user is sent a > verification code to reset their password > > > > > > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
