From Hannes.Tschofenig@gmx.net Sun Mar 1 05:12:28 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1585228C63E for ; Sun, 1 Mar 2009 05:12:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.278 X-Spam-Level: X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WcdpDbM7+ZwH for ; Sun, 1 Mar 2009 05:12:26 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 4ED9C2936F7 for ; Sun, 1 Mar 2009 05:04:14 -0800 (PST) Received: (qmail invoked by alias); 01 Mar 2009 13:04:38 -0000 Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp031) with SMTP; 01 Mar 2009 14:04:38 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX1+xa4BOfSWxU1ciH0n9RfZ9UPbdKX4Mm16r3xRyXS cpT0jN2FJNZ6mH From: "Hannes Tschofenig" To: "'Alexey Melnikov'" , "'Lisa Dusseault'" , , "'Blaine Cook'" Date: Sun, 1 Mar 2009 15:05:38 +0200 Message-ID: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Thread-index: AcmaUjBZB740AJoySkWfX2bPgi8SuQ== X-Y-GMX-Trusted: 0 X-FuHaFi: 0.53 Cc: oauth@ietf.org Subject: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 13:12:28 -0000 Hi Lisa, Alexey, Chris, We have concluded our OAuth charter discussion on the mailing list. The charter text can be found below. Ciao Hannes & Blaine ----------------------- Open Authentication Protocol (oauth) Last Modified: 2009-03-1 Chair(s): TBD Applications Area Director(s): Chris Newman Lisa Dusseault Applications Area Advisor: TBD Mailing Lists: https://www.ietf.org/mailman/listinfo/oauth Description of Working Group: OAuth allows a user to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. For example, a photo-sharing site that supports OAuth would allow its users to use a third-party printing Web site to access their private pictures, without gaining full control of the user account. OAuth consists of: * A mechanism for exchanging a user's credentials for a token-secret pair which can be used by a third party to access resources on their behalf. * A mechanism for signing HTTP requests with the token-secret pair. The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon draft-hammer-oauth-00.txt, that will: * Improve the terminology used. * Embody good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap. * Promote interoperability. * Provide guidelines for extensibility. This specifically means that as a starting point for the working group OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available extension points are going to be utilized. The WG will profile OAuth 1.0 in a way that produces a specification that is a backwards compatible profile, i.e. any OAuth 1.0 and the specification produced by this group must support a basic set of features to guarantee interoperability. Furthermore, OAuth 1.0 defines three signature methods used to protect requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on new signature methods and will describe the environments where new security requirements justify their usage. Existing signature methods will not be modified but may be dropped as part of the backwards compatible profiling activity. The applicability of existing and new signature methods to protocols other than HTTP will be investigated. The Working Group should consider: * Implementer experience. * The end-user experience, including internationalization. * Existing uses of OAuth. * Ability to achieve broad implementation. * Ability to address broader use cases than may be contemplated by the original authors. The Working Group is not tasked with defining a generally applicable HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio), and should consider this work out of scope in its discussions. However, if the deliverables are able to be factored in such a way that this is a byproduct, or such a scenario could be addressed by additional future work, the Working Group may choose to do so. After delivering OAuth, the Working Group may consider defining additional functions and/or extensions, for example (but not limited to): * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0. * Comprehensive message integrity, e.g., http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html. * Recommendations regarding the structure of the token. * Localization, e.g., http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp ec.html. * Session-oriented tokens, e.g., http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. * Alternate token exchange profiles, e.g., draft-dehora-farrell-oauth-accesstoken-creds-00. Goals and Milestones: Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as working group item (draft-hammer-oauth will be used as a starting point for further work.) Jul 2009 Start of discussion about OAuth extensions the group should work on Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization Delegation Protocol' Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to the IESG for consideration as a Proposed Standard Nov 2009 Prepare milestone update to start new work within the scope of the charter From danbrickley@gmail.com Sun Mar 1 05:44:05 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EEA5C3A6A25 for ; Sun, 1 Mar 2009 05:44:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oYH8bEN5kEG for ; Sun, 1 Mar 2009 05:44:05 -0800 (PST) Received: from mail-ew0-f177.google.com (mail-ew0-f177.google.com [209.85.219.177]) by core3.amsl.com (Postfix) with ESMTP id C4A553A6953 for ; Sun, 1 Mar 2009 05:44:04 -0800 (PST) Received: by ewy25 with SMTP id 25so1806494ewy.37 for ; Sun, 01 Mar 2009 05:44:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=AtbUCEekDFRArAzjt3Ytal2WdhiyrJGZjQd9n1ZXMdc=; b=wMRlmLMEuv8REIRH153BNFeI+Bdc/2GvnTripbVeGk/iMpUdP+dJkTsAYiBlP7z/UU 3QoJs2h/6xGE7AigV7N8h7ZO0DSDMCq2SQn/J0TOhWAeW9jiLafJIugTtNnBukLc27j/ mtInA9krW0sLZRbN6HmIO6JNU8LJROzRdv6Lw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=q17OIdyYz4NMIkNFA4lsmfp0hzq1j4M2+Pf6xCTiaL+WQib4SFQS9i4d7s5bnzU/8N trGZ6PR/nlvEBHMYnru0YyADcwX4X37M+82eLbWW8apvQPHJsdF6e3ZtHPaDl6CeG2sA Koz9gRPD7XFOdFuDOjGpJsZV7sue7dwb74ReE= Received: by 10.210.91.7 with SMTP id o7mr2308397ebb.39.1235915069208; Sun, 01 Mar 2009 05:44:29 -0800 (PST) Received: from BlackBook.local (s55927ef8.adsl.wanadoo.nl [85.146.126.248]) by mx.google.com with ESMTPS id 7sm3541751eyg.37.2009.03.01.05.44.28 (version=SSLv3 cipher=RC4-MD5); Sun, 01 Mar 2009 05:44:28 -0800 (PST) Sender: Dan Brickley Message-ID: <49AA913B.6070400@danbri.org> Date: Sun, 01 Mar 2009 14:44:27 +0100 From: Dan Brickley User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 To: Hannes Tschofenig References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> In-Reply-To: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: 'Alexey Melnikov' , chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 14:00:17 -0000 On 1/3/09 14:05, Hannes Tschofenig wrote: > Hi Lisa, Alexey, Chris, > > We have concluded our OAuth charter discussion on the mailing list. The > charter text can be found below. > > Ciao > Hannes& Blaine For those of us unfamiliar with IETF process, what exactly does this mean? Is the group now chartered / active, or this is a charter proposal for discussion? cheers, Dan -- http://danbri.org From dhc2@dcrocker.net Sun Mar 1 09:50:42 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA3C028C14D for ; Sun, 1 Mar 2009 09:50:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0ICEpZntTsj for ; Sun, 1 Mar 2009 09:50:42 -0800 (PST) Received: from sbh17.songbird.com (mail.mipassoc.org [IPv6:2001:470:1:76:0:ffff:4834:7146]) by core3.amsl.com (Postfix) with ESMTP id 7A9AC28C149 for ; Sun, 1 Mar 2009 09:50:41 -0800 (PST) Received: from [127.0.0.1] (adsl-67-127-59-100.dsl.pltn13.pacbell.net [67.127.59.100]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n21HosRP023307 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 1 Mar 2009 09:51:00 -0800 Message-ID: <49AACAFE.2060603@dcrocker.net> Date: Sun, 01 Mar 2009 09:50:54 -0800 From: Dave CROCKER Organization: Brandenburg InternetWorking User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Dan Brickley References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AA913B.6070400@danbri.org> In-Reply-To: <49AA913B.6070400@danbri.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.92/9059/Sun Mar 1 01:05:32 2009 on sbh17.songbird.com X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Sun, 01 Mar 2009 09:51:00 -0800 (PST) Cc: 'Alexey Melnikov' , Hannes Tschofenig , chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: dcrocker@bbiw.net List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 17:50:42 -0000 Dan Brickley wrote: > For those of us unfamiliar with IETF process, what exactly does this > mean? Is the group now chartered / active, or this is a charter proposal > for discussion? One perspective: It means that there is a body of people who are willing pursue the work defined by the charter text and that they are submitting it to the IETF management group (IESG) for approval. The charter has had substantial involvement by an Area Director -- a member of the IESG. Since the activity heavily involves security technology, it's worth noting that charter development also included significant involvement by folk with IETF security experience. The charter has gone through a pretty diligent process, adapting to concerns that were expressed. This shows some ability of the group to grapple with issues. All of this bodes well for approval, IMO. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From jtrentadams@gmail.com Mon Mar 2 07:41:50 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7B5028C202 for ; Mon, 2 Mar 2009 07:41:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQkJVT5+4sJm for ; Mon, 2 Mar 2009 07:41:49 -0800 (PST) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by core3.amsl.com (Postfix) with ESMTP id 92C8F28C15F for ; Mon, 2 Mar 2009 07:41:49 -0800 (PST) Received: by qw-out-2122.google.com with SMTP id 3so2862486qwe.31 for ; Mon, 02 Mar 2009 07:42:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=FDQFWTwIvhePWN6k09S7L//OEo/yg1mEkAJuOIZ4Aco=; b=pGceUng06SyIrZcc63ahMYI2GPqO8SuVvbigc6jd0/2amj629vM6CI0y5t0XTrWYtu jlFUIIyr1+/USOq1dNq6k+940oNFq8/IX/N1AvQXZ1EO4AWVocwzpNOfrS+QqvY4xZKJ QQQZ8Qf2ks9WIbhdsGoa2z+0zwMRP3g48p5lk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=UwdYblyAXnOCxga2OL6PVzCr/FB4YDMqASY1/aFz9Ks+jIbt2aSxioKRopePGNaWTH OEAlMTmT10IRHiyCo8Mtj/9qvsla3IqadQi5pY5EPLBVdE5rY/AERECdqTj2rH3QQzXe EpvlRn+w3YzCv0/9+Ebe+mcnhMCygLYiZezEA= Received: by 10.224.67.16 with SMTP id p16mr7706071qai.214.1236008534619; Mon, 02 Mar 2009 07:42:14 -0800 (PST) Received: from jtrentadams-isoc.local (c-24-91-114-64.hsd1.ma.comcast.net [24.91.114.64]) by mx.google.com with ESMTPS id 6sm138087qwd.33.2009.03.02.07.42.13 (version=SSLv3 cipher=RC4-MD5); Mon, 02 Mar 2009 07:42:13 -0800 (PST) Message-ID: <49ABFE54.80109@gmail.com> Date: Mon, 02 Mar 2009 10:42:12 -0500 From: "J. Trent Adams" User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Dan Brickley References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AA913B.6070400@danbri.org> In-Reply-To: <49AA913B.6070400@danbri.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: 'Alexey Melnikov' , Hannes Tschofenig , chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 15:41:50 -0000 Dan - From what I understand of the process, this means that the proposed OAuth charter is up for a vote for Working Group status at the IETF. As far as I can tell, once it's a ratified WG, the specification is tracked within the pipeline of IETF activities. If my intel is accurate, the vote could take place as early as IETF 74 the week of March 22nd in San Francisco. YMMV, Trent Dan Brickley wrote: > On 1/3/09 14:05, Hannes Tschofenig wrote: >> Hi Lisa, Alexey, Chris, >> >> We have concluded our OAuth charter discussion on the mailing list. The >> charter text can be found below. >> >> Ciao >> Hannes& Blaine > > For those of us unfamiliar with IETF process, what exactly does this > mean? Is the group now chartered / active, or this is a charter > proposal for discussion? > > cheers, > > Dan > > -- > http://danbri.org > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- J. Trent Adams =jtrentadams Profile: http://www.mediaslate.org/jtrentadams/ LinkedIN: http://www.linkedin.com/in/jtrentadams Twitter: http://twitter.com/jtrentadams From jtrentadams@gmail.com Mon Mar 2 08:02:53 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91F4F3A6887 for ; Mon, 2 Mar 2009 08:02:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KlykR9mEsHO for ; Mon, 2 Mar 2009 08:02:52 -0800 (PST) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id D92403A694A for ; Mon, 2 Mar 2009 08:02:51 -0800 (PST) Received: by qw-out-2122.google.com with SMTP id 3so2872598qwe.31 for ; Mon, 02 Mar 2009 08:03:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=HBPpkgWTSjB/Jqve9VSEIVqqXfmRSMFoxCJOgNekDfQ=; b=rkapVDfux1bwcCfZGDSFdgNsPw53FFDlrf9C5jSDE68ydf6C+jQlZ0xIuNfFaSZyX1 dN5DjsHPd929XDeWsNm39tAMDeAzOwa4C2s8yKW3Bx+128XB6jXp/UnPFTTHjIDgDwY8 ABjLjOr4MAdyNa42dClQy1x1XA2BKRBXuKR1Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=czQMTCDfi3DXIsmgMvXNpfHrM4YsHa+QUNgeiIt83I4DvbtSQX0p0FRa2N93ApHpUt EXvMZym4dkiM1WFkL+9SrG4k4Z0a95EQZTibywBXDVRW4vfQEN7EHcXxErjnLyGfKCqU JaFVpeo/dGUDHxV0BWSma1jx/61LvFBkKbSsA= Received: by 10.220.76.149 with SMTP id c21mr1665557vck.66.1236009793930; Mon, 02 Mar 2009 08:03:13 -0800 (PST) Received: from jtrentadams-isoc.local (c-24-91-114-64.hsd1.ma.comcast.net [24.91.114.64]) by mx.google.com with ESMTPS id 9sm296369yxs.59.2009.03.02.08.03.12 (version=SSLv3 cipher=RC4-MD5); Mon, 02 Mar 2009 08:03:13 -0800 (PST) Message-ID: <49AC033F.1030407@gmail.com> Date: Mon, 02 Mar 2009 11:03:11 -0500 From: "J. Trent Adams" User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Dan Brickley References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AA913B.6070400@danbri.org> <49ABFE54.80109@gmail.com> In-Reply-To: <49ABFE54.80109@gmail.com> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Cc: 'Alexey Melnikov' , Hannes Tschofenig , chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 16:02:53 -0000 Dan - OK, apparently I'm still learning the IETF nomenclature. There's no voting in the IETF, per se. Instead, word on the street is that the charter will be up for discussion at the OAuth BoF (on Wed. March 25 at 1pm PT). From there it goes to the IESG for approval by a rough consensus. Whew. I hope I got it that time, but welcome any more corrections. - Trent J. Trent Adams wrote: > Dan - > > From what I understand of the process, this means that the proposed > OAuth charter is up for a vote for Working Group status at the IETF. > As far as I can tell, once it's a ratified WG, the specification is > tracked within the pipeline of IETF activities. > > If my intel is accurate, the vote could take place as early as IETF 74 > the week of March 22nd in San Francisco. > > YMMV, > Trent > > > Dan Brickley wrote: >> On 1/3/09 14:05, Hannes Tschofenig wrote: >>> Hi Lisa, Alexey, Chris, >>> >>> We have concluded our OAuth charter discussion on the mailing list. >>> The >>> charter text can be found below. >>> >>> Ciao >>> Hannes& Blaine >> >> For those of us unfamiliar with IETF process, what exactly does this >> mean? Is the group now chartered / active, or this is a charter >> proposal for discussion? >> >> cheers, >> >> Dan >> >> -- >> http://danbri.org >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- J. Trent Adams =jtrentadams Profile: http://www.mediaslate.org/jtrentadams/ LinkedIN: http://www.linkedin.com/in/jtrentadams Twitter: http://twitter.com/jtrentadams From eran@hueniverse.com Mon Mar 2 08:27:30 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C19443A6938 for ; Mon, 2 Mar 2009 08:27:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJ00VZIJ-Q7B for ; Mon, 2 Mar 2009 08:27:29 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id AADBF3A6887 for ; Mon, 2 Mar 2009 08:27:29 -0800 (PST) Received: (qmail 2628 invoked from network); 2 Mar 2009 16:27:55 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 2 Mar 2009 16:27:54 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 2 Mar 2009 09:27:50 -0700 From: Eran Hammer-Lahav To: "J. Trent Adams" , Dan Brickley Date: Mon, 2 Mar 2009 09:28:07 -0700 Thread-Topic: [oauth] OAuth Charter Finalized Thread-Index: AcmbUGti3lDgwBrhTOqNs88aQXcXsAAA25mA Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6BD8@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AA913B.6070400@danbri.org> <49ABFE54.80109@gmail.com> <49AC033F.1030407@gmail.com> In-Reply-To: <49AC033F.1030407@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: 'Alexey Melnikov' , Hannes Tschofenig , "chris.newman@sun.com" , "oauth@ietf.org" , 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 16:27:30 -0000 This might help: http://www.ietf.org/internet-drafts/draft-hoffman-tao4677bis-05.txt EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of J. Trent Adams > Sent: Monday, March 02, 2009 8:03 AM > To: Dan Brickley > Cc: 'Alexey Melnikov'; Hannes Tschofenig; chris.newman@sun.com; > oauth@ietf.org; 'Lisa Dusseault' > Subject: Re: [oauth] OAuth Charter Finalized >=20 > Dan - >=20 > OK, apparently I'm still learning the IETF nomenclature. >=20 > There's no voting in the IETF, per se. Instead, word on the street is > that the charter will be up for discussion at the OAuth BoF (on Wed. > March 25 at 1pm PT). From there it goes to the IESG for approval by a > rough consensus. >=20 > Whew. I hope I got it that time, but welcome any more corrections. >=20 > - Trent >=20 >=20 > J. Trent Adams wrote: > > Dan - > > > > From what I understand of the process, this means that the proposed > > OAuth charter is up for a vote for Working Group status at the IETF. > > As far as I can tell, once it's a ratified WG, the specification is > > tracked within the pipeline of IETF activities. > > > > If my intel is accurate, the vote could take place as early as IETF > 74 > > the week of March 22nd in San Francisco. > > > > YMMV, > > Trent > > > > > > Dan Brickley wrote: > >> On 1/3/09 14:05, Hannes Tschofenig wrote: > >>> Hi Lisa, Alexey, Chris, > >>> > >>> We have concluded our OAuth charter discussion on the mailing list. > >>> The > >>> charter text can be found below. > >>> > >>> Ciao > >>> Hannes& Blaine > >> > >> For those of us unfamiliar with IETF process, what exactly does this > >> mean? Is the group now chartered / active, or this is a charter > >> proposal for discussion? > >> > >> cheers, > >> > >> Dan > >> > >> -- > >> http://danbri.org > >> > >> _______________________________________________ > >> oauth mailing list > >> oauth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > >=20 > -- > J. Trent Adams > =3Djtrentadams >=20 > Profile: http://www.mediaslate.org/jtrentadams/ > LinkedIN: http://www.linkedin.com/in/jtrentadams > Twitter: http://twitter.com/jtrentadams >=20 > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Mon Mar 2 08:41:33 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7BFB3A6B77 for ; Mon, 2 Mar 2009 08:41:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X41oqylcC58E for ; Mon, 2 Mar 2009 08:41:32 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id CE9753A6B13 for ; Mon, 2 Mar 2009 08:41:32 -0800 (PST) Received: (qmail 13050 invoked from network); 2 Mar 2009 16:41:58 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Mar 2009 16:41:58 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 2 Mar 2009 09:41:52 -0700 From: Eran Hammer-Lahav To: "oauth@googlegroups.com" Date: Mon, 2 Mar 2009 09:42:10 -0700 Thread-Topic: FYI: State of the (OAuth) Union Thread-Index: AcmbVdT5DT+ZD6o7TKeLcA/8Qceubw== Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6BDA@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: [oauth] FYI: State of the (OAuth) Union X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 16:41:33 -0000 http://www.hueniverse.com/hueniverse/2009/03/state-of-the-oauth-union.html OAuth Core 1.0 was declared as final specification almost a year and a half= ago. The overall reception was incredible with almost overnight adoption f= rom major web players like Google, Yahoo, and MySpace. We even got the atte= ntion of the major internet standard bodies, approaching us, some officiall= y, some less so, to bring the work over. It has been a good year for commun= ity-driven specifications with OAuth leading the charge. During the past year, we've also seen a lot of new ideas and new requiremen= ts coming up. Most people are not aware that there are about 15 proposed ex= tensions for OAuth covering a wide range of topics. There is also a lot of = confusion regarding what is going on with the specification, how should ext= ension be proposed (and made "official"), and recent announcements. This post will try to answer some of the questions I receive from people on= a daily basis. If you care about OAuth, implemented it or plan to, or have= any dependency on the specification, technology, or community, this should= be a helpful read. If I missed an important question, please let me know i= n the comments. * What's Up? * What is the Status of OAuth Core 1.0? * Is there a New Version Coming? * What is Being Done to Make the Current Specification Easier to Read? * Is OAuth Moving to the IETF? * Why the IETF? * Why does the IETF want OAuth? * Who Made You In Charge (to Bring OAuth to the IETF)? * Why isn't the Current Specification Good Enough? Why Seek a Standard? * OAuth doesn't Address My Use Case, How can I Extend it? * Any Upcoming OAuth Events? EHL From Hannes.Tschofenig@gmx.net Wed Mar 4 06:57:21 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA2E128C379 for ; Wed, 4 Mar 2009 06:57:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.341 X-Spam-Level: X-Spam-Status: No, score=-2.341 tagged_above=-999 required=5 tests=[AWL=0.258, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLPpmVj6Tcu4 for ; Wed, 4 Mar 2009 06:57:21 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 7B43B28C37B for ; Wed, 4 Mar 2009 06:57:20 -0800 (PST) Received: (qmail invoked by alias); 04 Mar 2009 14:57:43 -0000 Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp051) with SMTP; 04 Mar 2009 15:57:43 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX18Rsa1vMn0RJZsfDtajJ2RXV5dnAtz0Ayw1GR6Sl6 agjzMvVUX0++7V From: "Hannes Tschofenig" To: "'Alexey Melnikov'" References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AE5CD5.2080308@isode.com> Date: Wed, 4 Mar 2009 16:58:43 +0200 Message-ID: <000701c99cd9$b81a56e0$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 In-Reply-To: <49AE5CD5.2080308@isode.com> Thread-Index: Acmctv9ro4ptINgQSYiHAvardF7jLwAG6Bcg X-Y-GMX-Trusted: 0 X-FuHaFi: 0.55 Cc: chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 14:57:21 -0000 Hi Alexey, I prefer to avoid re-charting unless the scope of the work significantly changes. The reason for this is efficiency. Discussing the new charter (as we can see with this exercise) takes a lot of time that could be used more productively. See also the document I recently wrote about my impression on how to reduce delays: http://www.ietf.org/internet-drafts/draft-tschofenig-rai-reducing-delays-00. txt (written with a focus on RAI but to some extend also applicable to other areas) Ciao Hannes >-----Original Message----- >From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] >Sent: 04 March, 2009 12:50 >To: Hannes Tschofenig >Cc: 'Lisa Dusseault'; chris.newman@sun.com; 'Blaine Cook'; >oauth@ietf.org >Subject: Re: OAuth Charter Finalized > >Hi, >I have a quick question about the proposed Charter (please >excuse me if this was discussed on the mailing list): > >Hannes Tschofenig wrote: > >>After delivering OAuth, the Working Group may consider defining >>additional functions and/or extensions, for example (but not limited >>to): >> >> >WG charters typically say that work on such extra work items >require WG rechartering. >What is the intent in this case? > >> * Discovery of OAuth configuration, e.g., >http://oauth.net/discovery/1.0. >> * Comprehensive message integrity, e.g., >>http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/ >1/spec.html. >> * Recommendations regarding the structure of the token. >> * Localization, e.g., >>http://oauth.googlecode.com/svn/spec/ext/language_preference/1 >.0/drafts >>/2/sp >>ec.html. >> * Session-oriented tokens, e.g., >>http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/ >spec.html. >> * Alternate token exchange profiles, e.g., >>draft-dehora-farrell-oauth-accesstoken-creds-00. >> >> > From Hannes.Tschofenig@gmx.net Wed Mar 4 07:48:46 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5873128C380 for ; Wed, 4 Mar 2009 07:48:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.344 X-Spam-Level: X-Spam-Status: No, score=-2.344 tagged_above=-999 required=5 tests=[AWL=0.255, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gN6Aw7ydAFnn for ; Wed, 4 Mar 2009 07:48:45 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 211AC28C39D for ; Wed, 4 Mar 2009 07:48:09 -0800 (PST) Received: (qmail invoked by alias); 04 Mar 2009 15:48:37 -0000 Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp044) with SMTP; 04 Mar 2009 16:48:37 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX18S7WwreLQSAWyLRUKlOfcrrL/GjUTcFHKGcS3L7X yIQlNXC45BW9v3 From: "Hannes Tschofenig" To: "'Alexey Melnikov'" References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AE5CD5.2080308@isode.com> <000701c99cd9$b81a56e0$0201a8c0@nsnintra.net> <49AE9BBE.5040705@isode.com> Date: Wed, 4 Mar 2009 17:49:39 +0200 Message-ID: <003501c99ce0$d423e7a0$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 In-Reply-To: <49AE9BBE.5040705@isode.com> Thread-Index: Acmc3HjJ4TvhlWHlR8yNeYmyg1RLSwABFBjQ X-Y-GMX-Trusted: 0 X-FuHaFi: 0.61 Cc: chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 15:48:46 -0000 Makes sense to me. I will add that text. >-----Original Message----- >From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] >Sent: 04 March, 2009 17:18 >To: Hannes Tschofenig >Cc: 'Lisa Dusseault'; chris.newman@sun.com; 'Blaine Cook'; >oauth@ietf.org >Subject: Re: OAuth Charter Finalized > >Hannes Tschofenig wrote: > >>Hi Alexey, >> >>I prefer to avoid re-charting unless the scope of the work >>significantly changes. >>The reason for this is efficiency. Discussing the new charter (as we >>can see with this exercise) takes a lot of time that could be >used more >>productively. >> >>See also the document I recently wrote about my impression on how to >>reduce >>delays: >>http://www.ietf.org/internet-drafts/draft-tschofenig-rai-reduc >ing-delays-00. >>txt >>(written with a focus on RAI but to some extend also applicable to >>other >>areas) >> >> >Ok. I suggest the Charter text should say so in order to avoid >any questions down the road. > From ksankar@cisco.com Mon Mar 2 13:46:10 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0D1E3A6AFE for ; Mon, 2 Mar 2009 13:46:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2QuLynlqUKj for ; Mon, 2 Mar 2009 13:46:09 -0800 (PST) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 4575C3A6896 for ; Mon, 2 Mar 2009 13:46:09 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,291,1233532800"; d="scan'208";a="136764377" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 02 Mar 2009 21:46:35 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n22LkZiQ023971; Mon, 2 Mar 2009 13:46:35 -0800 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n22LkZ6O025589; Mon, 2 Mar 2009 21:46:35 GMT Received: from xmb-sjc-219.amer.cisco.com ([171.70.151.188]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Mar 2009 13:46:35 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Mar 2009 13:45:46 -0800 Message-ID: <9FA16888AD1BF64ABCE6C2532CCEB98A06B7E5A6@xmb-sjc-219.amer.cisco.com> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6BDA@P3PW5EX1MB01.EX1.SECURESERVER.NET> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [oauth] FYI: State of the (OAuth) Union Thread-Index: AcmbVdT5DT+ZD6o7TKeLcA/8QceubwAJvh+Q References: <90C41DD21FB7C64BB94121FBBC2E723425023C6BDA@P3PW5EX1MB01.EX1.SECURESERVER.NET> From: "Krishna Sankar (ksankar)" To: X-OriginalArrivalTime: 02 Mar 2009 21:46:35.0525 (UTC) FILETIME=[5BD00B50:01C99B80] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3401; t=1236030395; x=1236894395; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ksankar@cisco.com; z=From:=20=22Krishna=20Sankar=20(ksankar)=22=20 |Subject:=20RE=3A=20[oauth]=20FYI=3A=20State=20of=20the=20( OAuth)=20Union |Sender:=20; bh=IVkMl8fKAulnc+b+3ZycmlXGpOshsNoIuQDOtwNS5t8=; b=QGm6E27kRWB+LxIQnAb9X3Ptqq3dzX8MDyDvys8PXmwJLlQKkwV1+MXEXn 4Obz+ckf1Z9FXPohAkxq6Oc7GoS/qfagE67ivJU76B2b1xBAZ53mTw3O+prv cO0rE9aWhQ; Authentication-Results: sj-dkim-3; header.From=ksankar@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); X-Mailman-Approved-At: Sat, 07 Mar 2009 18:15:46 -0800 Cc: oauth@ietf.org Subject: Re: [oauth] FYI: State of the (OAuth) Union X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 21:46:10 -0000 Eran, Excellent write-up. Couple of quick points: a) Instead of another "easy-to-read" specification document of some kind, might be easier to write an OAuth Primer (similar to what W3C does). The document can have a section on "Lessons learned from implementations". Naturally all of these will get folded into the RFC. b) You had mentioned lack of good open source libraries. I agree that it is important to have good libraries. Which libraries do need work ? Is there a list of tasks or some sort of pointers ? If we have a Wiki page and a list of work to be done - even at a very high granular level - then it will make it easier for folks to pitch-in as time permits. c) BTW, moving to IETF is very good. A standard under a well-accepted body like IETF makes it easier for corporations to adopt. In the process, we also get visibility from the security community plus a deliberate-systemic approach for growth.=20 Cheers =20 |-----Original Message----- |From: oauth@googlegroups.com [mailto:oauth@googlegroups.com] On Behalf |Of Eran Hammer-Lahav |Sent: Monday, March 02, 2009 8:42 AM |To: oauth@googlegroups.com |Cc: oauth@ietf.org |Subject: [oauth] FYI: State of the (OAuth) Union | | |http://www.hueniverse.com/hueniverse/2009/03/state-of-the-oauth- |union.html | |OAuth Core 1.0 was declared as final specification almost a year and a |half ago. The overall reception was incredible with almost overnight |adoption from major web players like Google, Yahoo, and MySpace. We even |got the attention of the major internet standard bodies, approaching us, |some officially, some less so, to bring the work over. It has been a |good year for community-driven specifications with OAuth leading the |charge. | |During the past year, we've also seen a lot of new ideas and new |requirements coming up. Most people are not aware that there are about |15 proposed extensions for OAuth covering a wide range of topics. There |is also a lot of confusion regarding what is going on with the |specification, how should extension be proposed (and made "official"), |and recent announcements. | |This post will try to answer some of the questions I receive from people |on a daily basis. If you care about OAuth, implemented it or plan to, or |have any dependency on the specification, technology, or community, this |should be a helpful read. If I missed an important question, please let |me know in the comments. | | * What's Up? | * What is the Status of OAuth Core 1.0? | * Is there a New Version Coming? | * What is Being Done to Make the Current Specification Easier to |Read? | * Is OAuth Moving to the IETF? | * Why the IETF? | * Why does the IETF want OAuth? | * Who Made You In Charge (to Bring OAuth to the IETF)? | * Why isn't the Current Specification Good Enough? Why Seek a |Standard? | * OAuth doesn't Address My Use Case, How can I Extend it? | * Any Upcoming OAuth Events? | |EHL | |--~--~---------~--~----~------------~-------~--~----~ |You received this message because you are subscribed to the Google |Groups "OAuth" group. |To post to this group, send email to oauth@googlegroups.com |To unsubscribe from this group, send email to |oauth+unsubscribe@googlegroups.com |For more options, visit this group at |http://groups.google.com/group/oauth?hl=3Den |-~----------~----~----~----~------~----~------~--~--- From alexey.melnikov@isode.com Wed Mar 4 02:49:47 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0099A3A6814 for ; Wed, 4 Mar 2009 02:49:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.537 X-Spam-Level: X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIzHhaBdOX5i for ; Wed, 4 Mar 2009 02:49:46 -0800 (PST) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id E2B453A67BD for ; Wed, 4 Mar 2009 02:49:45 -0800 (PST) Received: from [172.16.2.184] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Wed, 4 Mar 2009 10:50:12 +0000 Message-ID: <49AE5CD5.2080308@isode.com> Date: Wed, 04 Mar 2009 10:49:57 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hannes Tschofenig References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> In-Reply-To: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 07 Mar 2009 18:15:46 -0800 Cc: chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 10:49:47 -0000 Hi, I have a quick question about the proposed Charter (please excuse me if this was discussed on the mailing list): Hannes Tschofenig wrote: >After delivering OAuth, the Working Group may consider defining additional >functions and/or extensions, for example (but not limited >to): > > WG charters typically say that work on such extra work items require WG rechartering. What is the intent in this case? > * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0. > * Comprehensive message integrity, e.g., >http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html. > * Recommendations regarding the structure of the token. > * Localization, e.g., >http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp >ec.html. > * Session-oriented tokens, e.g., >http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > * Alternate token exchange profiles, e.g., >draft-dehora-farrell-oauth-accesstoken-creds-00. > > From alexey.melnikov@isode.com Wed Mar 4 07:18:59 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EB5528C39B for ; Wed, 4 Mar 2009 07:18:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.54 X-Spam-Level: X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0htKylHFviIT for ; Wed, 4 Mar 2009 07:18:58 -0800 (PST) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 7542D28C3A1 for ; Wed, 4 Mar 2009 07:18:00 -0800 (PST) Received: from [192.168.0.9] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Wed, 4 Mar 2009 15:18:27 +0000 X-SMTP-Protocol-Errors: NORDNS Message-ID: <49AE9BBE.5040705@isode.com> Date: Wed, 04 Mar 2009 15:18:22 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hannes Tschofenig References: <004901c99a6e$6b96e120$0201a8c0@nsnintra.net> <49AE5CD5.2080308@isode.com> <000701c99cd9$b81a56e0$0201a8c0@nsnintra.net> In-Reply-To: <000701c99cd9$b81a56e0$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 07 Mar 2009 18:15:46 -0800 Cc: chris.newman@sun.com, oauth@ietf.org, 'Lisa Dusseault' Subject: Re: [oauth] OAuth Charter Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 15:18:59 -0000 Hannes Tschofenig wrote: >Hi Alexey, > >I prefer to avoid re-charting unless the scope of the work significantly >changes. >The reason for this is efficiency. Discussing the new charter (as we can see >with this exercise) takes a lot of time that could be used more >productively. > >See also the document I recently wrote about my impression on how to reduce >delays: >http://www.ietf.org/internet-drafts/draft-tschofenig-rai-reducing-delays-00. >txt >(written with a focus on RAI but to some extend also applicable to other >areas) > > Ok. I suggest the Charter text should say so in order to avoid any questions down the road. From eran@hueniverse.com Mon Mar 9 22:19:38 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0D153A6A16 for ; Mon, 9 Mar 2009 22:19:38 -0700 (PDT) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER, MIME error: error: illegal encoding [base64] for MIME type message/external-body X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsnS-8FJsqW0 for ; Mon, 9 Mar 2009 22:19:37 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E0BD83A6A0A for ; Mon, 9 Mar 2009 22:19:37 -0700 (PDT) Received: (qmail 3540 invoked from network); 10 Mar 2009 05:20:09 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:20:09 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 9 Mar 2009 22:19:53 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Mon, 9 Mar 2009 22:20:28 -0700 Thread-Topic: I-D Action:draft-hammer-oauth-01.txt Thread-Index: AcmhEhfYzVUcOjReTn2UlDmONQfYhwALDYTw Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/mixed; boundary="_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_" MIME-Version: 1.0 Subject: [oauth] FW: I-D Action:draft-hammer-oauth-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 05:19:38 -0000 --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I spent the last 3 days writing the entire spec from scratch (except for th= e security consideration section which was just adjusted to the new termino= logy). The new revision is based on feedback I collected over the past year= for the original specification. The main differences are: * Terminology. Gone are the confusing terms (consumer, request token, consu= mer key, etc.). Instead I am using terms from the HTTP spec, slightly adjus= ted. * Structure. The previous revision mixed authentication with authorization = and had very little reason to the way normative text was placed across sect= ions. The new structure splits the spec in two. The first part talks about = how to make authenticated requests using two sets of credentials. The secon= d part offers a method (one of many) for getting a token via redirection. * Encoding. The biggest issue with the previous revision was confusion over= parameter encoding and the signature base string. I cleaned up that sectio= n, added new examples, and removed a couple instruction to encode the signa= ture (bugs). If followed to the letter, the spec would break all existing i= mplementations... The good thing is it is confusing enough that most people= understood it the wrong way (which is actually the right way). Take a look= at the old section about PLAINTEXT: --- oauth_signature is set to the concatenated encoded values of the Consumer S= ecret and Token Secret, separated by a '&' character (ASCII code 38), even = if either secret is empty. The result MUST be encoded again. --- 'The result MUST be encoded again' is just plain wrong. It is encoded again= but according to the parameter transmission method, not the special way OA= uth does it, and the spec as written would actually double encode it. * Normative requirements. The spec previously contained many MUSTs and SHOU= LDs about stuff that could not be verified like documentation and obtaining= client credentials. I took out all the ones that didn't actually made any = practical difference. I'm sure there is more, since this is practically a brand new spec (same ex= act protocol). Please read and provide feedback. EHL -----Original Message----- From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] = On Behalf Of Internet-Drafts@ietf.org Sent: Monday, March 09, 2009 4:45 PM To: i-d-announce@ietf.org Subject: I-D Action:draft-hammer-oauth-01.txt=20 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. Title : The OAuth Core Protocol Author(s) : E. Hammer-Lahav, B. Cook Filename : draft-hammer-oauth-01.txt Pages : 33 Date : 2009-03-09 This document specifies the OAuth core protocol. OAuth provides a method f= or clients to access server resources on behalf of another party (such a di= fferent client or an end user). It also provides a redirection-based user = agent process for end users to authorize access to clients by substituting = their credentials (typically, a username and password pair) with a differen= t set of delegation- specific credentials. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementa= tion to automatically retrieve the ASCII version of the Internet-Draft. --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_ Content-Type: message/external-body; name="draft-hammer-oauth-01.url" Content-Description: draft-hammer-oauth-01.url Content-Disposition: attachment; filename="draft-hammer-oauth-01.url"; size=86; creation-date="Mon, 09 Mar 2009 16:52:23 GMT"; modification-date="Mon, 09 Mar 2009 16:52:23 GMT" Content-Transfer-Encoding: base64 W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0 cy9kcmFmdC1oYW1tZXItb2F1dGgtMDEudHh0DQo= --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_ Content-Type: text/plain; name="ATT00001.txt" Content-Description: ATT00001.txt Content-Disposition: attachment; filename="ATT00001.txt"; size=258; creation-date="Mon, 09 Mar 2009 16:52:23 GMT"; modification-date="Mon, 09 Mar 2009 16:52:23 GMT" Content-Transfer-Encoding: base64 X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkktRC1Bbm5v dW5jZSBtYWlsaW5nIGxpc3QNCkktRC1Bbm5vdW5jZUBpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9pLWQtYW5ub3VuY2UNCkludGVybmV0LURyYWZ0IGRpcmVj dG9yaWVzOiBodHRwOi8vd3d3LmlldGYub3JnL3NoYWRvdy5odG1sDQpvciBmdHA6Ly9mdHAuaWV0 Zi5vcmcvaWV0Zi8xc2hhZG93LXNpdGVzLnR4dA0K --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_-- From eran@hueniverse.com Mon Mar 9 22:30:17 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 551B53A6A32 for ; Mon, 9 Mar 2009 22:30:17 -0700 (PDT) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER, MIME error: error: illegal encoding [base64] for MIME type message/external-body X-Spam-Flag: NO X-Spam-Score: -2.69 X-Spam-Level: X-Spam-Status: No, score=-2.69 tagged_above=-999 required=5 tests=[AWL=-0.091, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRt+uQqG35Mk for ; Mon, 9 Mar 2009 22:30:16 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 53F393A68AC for ; Mon, 9 Mar 2009 22:30:16 -0700 (PDT) Received: (qmail 5297 invoked from network); 10 Mar 2009 05:30:51 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:30:50 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Mar 2009 22:30:50 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Mon, 9 Mar 2009 22:31:10 -0700 Thread-Topic: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt Thread-Index: Acmg6XW6nSIv2AUORkiUt9NZxrP1YgAV7EjQ Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/mixed; boundary="_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EECP3PW5EX1MB01E_" MIME-Version: 1.0 Subject: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 05:30:17 -0000 --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EECP3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Here's a silly question, why not just use HTTP Basic or Digest auth to acco= mplish the same thing? Ask for a token using the actual resource owner's se= rver credentials (username and password) and, well, get one. Am I missing something? More ideas in http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth= -web-redirection-flow.html EHL -----Original Message----- From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] = On Behalf Of Internet-Drafts@ietf.org Sent: Monday, March 09, 2009 12:00 PM To: i-d-announce@ietf.org Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt=20 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. Title : OAuth Access Tokens using credentials Author(s) : B. hOra, S. Farrell Filename : draft-dehora-farrell-oauth-accesstoken-creds-01.txt Pages : 13 Date : 2009-03-09 OAuth Access Tokens using credentials is a technique for allowing user agen= ts to obtain an OAuth access token on behalf of a user without requiring us= er intervention or HTTP redirection to a browser. OAuth itself is documented in the OAuth Core 1.0 Specification.Editorial No= te To provide feedback on this Internet-Draft, email the authors. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accesstoken-= creds-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementa= tion to automatically retrieve the ASCII version of the Internet-Draft. --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EECP3PW5EX1MB01E_ Content-Type: message/external-body; name="draft-dehora-farrell-oauth-accesstoken-creds-01.url" Content-Description: draft-dehora-farrell-oauth-accesstoken-creds-01.url Content-Disposition: attachment; filename="draft-dehora-farrell-oauth-accesstoken-creds-01.url"; size=112; creation-date="Mon, 09 Mar 2009 12:01:31 GMT"; modification-date="Mon, 09 Mar 2009 12:01:31 GMT" Content-Transfer-Encoding: base64 W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0 cy9kcmFmdC1kZWhvcmEtZmFycmVsbC1vYXV0aC1hY2Nlc3N0b2tlbi1jcmVkcy0wMS50eHQNCg== --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EECP3PW5EX1MB01E_ Content-Type: text/plain; name="ATT00001.txt" Content-Description: ATT00001.txt Content-Disposition: attachment; filename="ATT00001.txt"; size=258; creation-date="Mon, 09 Mar 2009 12:01:31 GMT"; modification-date="Mon, 09 Mar 2009 12:01:31 GMT" Content-Transfer-Encoding: base64 X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkktRC1Bbm5v dW5jZSBtYWlsaW5nIGxpc3QNCkktRC1Bbm5vdW5jZUBpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9pLWQtYW5ub3VuY2UNCkludGVybmV0LURyYWZ0IGRpcmVj dG9yaWVzOiBodHRwOi8vd3d3LmlldGYub3JnL3NoYWRvdy5odG1sDQpvciBmdHA6Ly9mdHAuaWV0 Zi5vcmcvaWV0Zi8xc2hhZG93LXNpdGVzLnR4dA0K --_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EECP3PW5EX1MB01E_-- From eran@hueniverse.com Mon Mar 9 22:32:38 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BEA863A6A18 for ; Mon, 9 Mar 2009 22:32:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.682 X-Spam-Level: X-Spam-Status: No, score=-3.682 tagged_above=-999 required=5 tests=[AWL=0.917, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWE9XzkxqULY for ; Mon, 9 Mar 2009 22:32:37 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id D3CE63A6A16 for ; Mon, 9 Mar 2009 22:32:37 -0700 (PDT) Received: (qmail 4778 invoked from network); 10 Mar 2009 05:33:12 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:33:12 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Mar 2009 22:33:12 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Mon, 9 Mar 2009 22:33:32 -0700 Thread-Topic: [oauth] FW: I-D Action:draft-hammer-oauth-01.txt Thread-Index: AcmhEhfYzVUcOjReTn2UlDmONQfYhwALDYTwAADb92A= Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEE@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [oauth] FW: I-D Action:draft-hammer-oauth-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 05:32:38 -0000 Forgot to mention the blog post is: http://www.hueniverse.com/hueniverse/2009/03/oauth-core-10-reborn.html EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Monday, March 09, 2009 10:20 PM > To: oauth@ietf.org > Subject: [oauth] FW: I-D Action:draft-hammer-oauth-01.txt >=20 > I spent the last 3 days writing the entire spec from scratch (except > for the security consideration section which was just adjusted to the > new terminology). The new revision is based on feedback I collected > over the past year for the original specification. The main differences > are: >=20 > * Terminology. Gone are the confusing terms (consumer, request token, > consumer key, etc.). Instead I am using terms from the HTTP spec, > slightly adjusted. >=20 > * Structure. The previous revision mixed authentication with > authorization and had very little reason to the way normative text was > placed across sections. The new structure splits the spec in two. The > first part talks about how to make authenticated requests using two > sets of credentials. The second part offers a method (one of many) for > getting a token via redirection. >=20 > * Encoding. The biggest issue with the previous revision was confusion > over parameter encoding and the signature base string. I cleaned up > that section, added new examples, and removed a couple instruction to > encode the signature (bugs). If followed to the letter, the spec would > break all existing implementations... The good thing is it is confusing > enough that most people understood it the wrong way (which is actually > the right way). Take a look at the old section about PLAINTEXT: >=20 > --- > oauth_signature is set to the concatenated encoded values of the > Consumer Secret and Token Secret, separated by a '&' character (ASCII > code 38), even if either secret is empty. The result MUST be encoded > again. > --- >=20 > 'The result MUST be encoded again' is just plain wrong. It is encoded > again but according to the parameter transmission method, not the > special way OAuth does it, and the spec as written would actually > double encode it. >=20 > * Normative requirements. The spec previously contained many MUSTs and > SHOULDs about stuff that could not be verified like documentation and > obtaining client credentials. I took out all the ones that didn't > actually made any practical difference. >=20 > I'm sure there is more, since this is practically a brand new spec > (same exact protocol). Please read and provide feedback. >=20 > EHL >=20 >=20 >=20 > -----Original Message----- > From: i-d-announce-bounces@ietf.org [mailto:i-d-announce- > bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org > Sent: Monday, March 09, 2009 4:45 PM > To: i-d-announce@ietf.org > Subject: I-D Action:draft-hammer-oauth-01.txt >=20 > A New Internet-Draft is available from the on-line Internet-Drafts > directories. >=20 > Title : The OAuth Core Protocol > Author(s) : E. Hammer-Lahav, B. Cook > Filename : draft-hammer-oauth-01.txt > Pages : 33 > Date : 2009-03-09 >=20 > This document specifies the OAuth core protocol. OAuth provides a > method for clients to access server resources on behalf of another > party (such a different client or an end user). It also provides a > redirection-based user agent process for end users to authorize access > to clients by substituting their credentials (typically, a username and > password pair) with a different set of delegation- specific > credentials. >=20 > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. From eran@hueniverse.com Mon Mar 9 22:43:50 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9CCE3A69DA for ; Mon, 9 Mar 2009 22:43:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.753 X-Spam-Level: X-Spam-Status: No, score=-2.753 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6sgHl0Roz5IG for ; Mon, 9 Mar 2009 22:43:50 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 1A2FB3A684E for ; Mon, 9 Mar 2009 22:43:50 -0700 (PDT) Received: (qmail 5807 invoked from network); 10 Mar 2009 05:44:25 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:44:09 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Mar 2009 22:44:09 -0700 From: Eran Hammer-Lahav To: "ietf-http-wg@w3.org Group" Date: Mon, 9 Mar 2009 22:44:24 -0700 Thread-Topic: OAuth and HTTP proxies Thread-Index: AcmhQ0T8ULZNWRAAQ7+O435dmfP0wA== Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-hashedpuzzle: Cbqy ClXT F1Ns GpSf G6QZ IwXu JvZc KbLh KpgZ MTNs NVlE O9xA PHDM UwQs W+Gc XCe1; 2; aQBlAHQAZgAtAGgAdAB0AHAALQB3AGcAQAB3ADMALgBvAHIAZwA7AG8AYQB1AHQAaABAAGkAZQB0AGYALgBvAHIAZwA=; Sosha1_v1; 7; {CE3737C8-F59E-4982-97CA-91A2FF475A35}; ZQByAGEAbgBAAGgAdQBlAG4AaQB2AGUAcgBzAGUALgBjAG8AbQA=; Tue, 10 Mar 2009 05:44:24 GMT;TwBBAHUAdABoACAAYQBuAGQAIABIAFQAVABQACAAcAByAG8AeABpAGUAcwA= x-cr-puzzleid: {CE3737C8-F59E-4982-97CA-91A2FF475A35} acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: [oauth] OAuth and HTTP proxies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 05:43:51 -0000 Can someone please review the OAuth spec [1], in particular section 3.3.1.3= , to help determine if the way OAuth signs requests is compatible with HTTP= proxies? OAuth signs the request URI based on either the content of the Host header = or the actual hostname and port used to make the request. It was written wi= th total disregard to proxies and caches. I am trying to find out if it bre= aks or breaks something else. EHL [1] http://tools.ietf.org/html/draft-hammer-oauth-01 From James.H.Manger@team.telstra.com Mon Mar 9 23:13:19 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8775D3A6A5C for ; Mon, 9 Mar 2009 23:13:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.875 X-Spam-Level: X-Spam-Status: No, score=-1.875 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJeokTz1gadK for ; Mon, 9 Mar 2009 23:13:18 -0700 (PDT) Received: from mailipao.vtcif.telstra.com.au (mailipao.vtcif.telstra.com.au [202.12.144.27]) by core3.amsl.com (Postfix) with ESMTP id 95F8E3A6917 for ; Mon, 9 Mar 2009 23:13:16 -0700 (PDT) Received: from webi.vtcif.telstra.com.au (HELO mailbi.vtcif.telstra.com.au) ([202.12.142.19]) by mailipai.vtcif.telstra.com.au with ESMTP; 10 Mar 2009 17:13:49 +1100 Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id 51CFF1DA83 for ; Tue, 10 Mar 2009 17:13:49 +1100 (EST) Received: from WSMSG3701.srv.dir.telstra.com (wsmsg3701.srv.dir.telstra.com [172.49.40.169]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 757A841D64 for ; Tue, 10 Mar 2009 17:13:47 +1100 (EST) Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Tue, 10 Mar 2009 17:13:48 +1100 From: "Manger, James H" To: "oauth@ietf.org" Date: Tue, 10 Mar 2009 17:13:47 +1100 Thread-Topic: [oauth] draft 01: sort order c@ vs c2 Thread-Index: AcmhEhfYzVUcOjReTn2UlDmONQfYhwALDYTwAAIZoZA= Message-ID: <255B9BB34FB7D647A506DC292726F6E111F985B512@WSMSG3153V.srv.dir.telstra.com> References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Subject: [oauth] draft 01: sort order c@ vs c2 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 06:13:19 -0000 V2h5IGlzICJjJTQwIiBzb3J0ZWQgYWZ0ZXIgImMyIj8NCiJjQCIgc29ydHMgYWZ0ZXIgImMyIiwg YnV0IMKnMy4zLjEuMi4gIk5vcm1hbGl6ZSBSZXF1ZXN0IFBhcmFtZXRlcnMiIGVuY29kZXMgbmFt ZXMgYXQgc3RlcCAxIGJlZm9yZSBzb3J0aW5nIGF0IHN0ZXAgMi4NCg0KSmFtZXMgTWFuZ2VyDQpK YW1lcy5ILk1hbmdlckB0ZWFtLnRlbHN0cmEuY29tDQpJZGVudGl0eSBhbmQgc2VjdXJpdHkgdGVh bSDigJQgQ2hpZWYgVGVjaG5vbG9neSBPZmZpY2Ug4oCUIFRlbHN0cmENCg0KLS0tLS0tLS0tLQ0K RnJvbTogaS1kLWFubm91bmNlLWJvdW5jZXNAaWV0Zi5vcmcgW21haWx0bzppLWQtYW5ub3VuY2Ut Ym91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEludGVybmV0LURyYWZ0c0BpZXRmLm9yZw0K U2VudDogTW9uZGF5LCBNYXJjaCAwOSwgMjAwOSA0OjQ1IFBNDQpUbzogaS1kLWFubm91bmNlQGll dGYub3JnDQpTdWJqZWN0OiBJLUQgQWN0aW9uOmRyYWZ0LWhhbW1lci1vYXV0aC0wMS50eHQgDQoN CglUaXRsZSAgICAgICAgICAgOiBUaGUgT0F1dGggQ29yZSBQcm90b2NvbA0KCURhdGUgICAgICAg ICAgICA6IDIwMDktMDMtMDkNCg0KaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMv ZHJhZnQtaGFtbWVyLW9hdXRoLTAxLnR4dA0K From eran@hueniverse.com Mon Mar 9 23:19:06 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 279843A6917 for ; Mon, 9 Mar 2009 23:19:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.999 X-Spam-Level: X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0Vfsk+WSphA for ; Mon, 9 Mar 2009 23:19:05 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 4B04A3A6A6A for ; Mon, 9 Mar 2009 23:19:05 -0700 (PDT) Received: (qmail 9039 invoked from network); 10 Mar 2009 06:19:40 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 06:19:39 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Mar 2009 23:19:39 -0700 From: Eran Hammer-Lahav To: "Manger, James H" , "oauth@ietf.org" Date: Mon, 9 Mar 2009 23:19:59 -0700 Thread-Topic: [oauth] draft 01: sort order c@ vs c2 Thread-Index: AcmhEhfYzVUcOjReTn2UlDmONQfYhwALDYTwAAIZoZAAAFu4YA== Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E111F985B512@WSMSG3153V.srv.dir.telstra.com> In-Reply-To: <255B9BB34FB7D647A506DC292726F6E111F985B512@WSMSG3153V.srv.dir.telstra.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Subject: Re: [oauth] draft 01: sort order c@ vs c2 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 06:19:06 -0000 QSBidWcuIFRoYW5rcyEgSSdsbCBmaXggaXQgKGluIGEgZmV3IHdlZWtzIHdoZW4gdGhlIGZyZWV6 ZSBpcyBvdmVyKS4NCg0KRUhMDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJv bTogb2F1dGgtYm91bmNlc0BpZXRmLm9yZyBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmdd IE9uIEJlaGFsZg0KPiBPZiBNYW5nZXIsIEphbWVzIEgNCj4gU2VudDogTW9uZGF5LCBNYXJjaCAw OSwgMjAwOSAxMToxNCBQTQ0KPiBUbzogb2F1dGhAaWV0Zi5vcmcNCj4gU3ViamVjdDogW29hdXRo XSBkcmFmdCAwMTogc29ydCBvcmRlciBjQCB2cyBjMg0KPiANCj4gV2h5IGlzICJjJTQwIiBzb3J0 ZWQgYWZ0ZXIgImMyIj8NCj4gImNAIiBzb3J0cyBhZnRlciAiYzIiLCBidXQgwqczLjMuMS4yLiAi Tm9ybWFsaXplIFJlcXVlc3QgUGFyYW1ldGVycyINCj4gZW5jb2RlcyBuYW1lcyBhdCBzdGVwIDEg YmVmb3JlIHNvcnRpbmcgYXQgc3RlcCAyLg0KPiANCj4gSmFtZXMgTWFuZ2VyDQo+IEphbWVzLkgu TWFuZ2VyQHRlYW0udGVsc3RyYS5jb20NCj4gSWRlbnRpdHkgYW5kIHNlY3VyaXR5IHRlYW0g4oCU IENoaWVmIFRlY2hub2xvZ3kgT2ZmaWNlIOKAlCBUZWxzdHJhDQo+IA0KPiAtLS0tLS0tLS0tDQo+ IEZyb206IGktZC1hbm5vdW5jZS1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86aS1kLWFubm91bmNl LQ0KPiBib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgSW50ZXJuZXQtRHJhZnRzQGlldGYu b3JnDQo+IFNlbnQ6IE1vbmRheSwgTWFyY2ggMDksIDIwMDkgNDo0NSBQTQ0KPiBUbzogaS1kLWFu bm91bmNlQGlldGYub3JnDQo+IFN1YmplY3Q6IEktRCBBY3Rpb246ZHJhZnQtaGFtbWVyLW9hdXRo LTAxLnR4dA0KPiANCj4gCVRpdGxlICAgICAgICAgICA6IFRoZSBPQXV0aCBDb3JlIFByb3RvY29s DQo+IAlEYXRlICAgICAgICAgICAgOiAyMDA5LTAzLTA5DQo+IA0KPiBodHRwOi8vd3d3LmlldGYu b3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1oYW1tZXItb2F1dGgtMDEudHh0DQo+IF9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IG9hdXRoIG1haWxpbmcg bGlzdA0KPiBvYXV0aEBpZXRmLm9yZw0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoDQo= From stephen.farrell@cs.tcd.ie Tue Mar 10 02:56:06 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52B463A6901 for ; Tue, 10 Mar 2009 02:56:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.293 X-Spam-Level: X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yyl2oMGur4ng for ; Tue, 10 Mar 2009 02:56:05 -0700 (PDT) Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id 0FB243A687F for ; Tue, 10 Mar 2009 02:56:04 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id 5F911100415D0; Tue, 10 Mar 2009 09:56:38 +0000 (GMT) X-Virus-Scanned: amavisd-new at newbay.com Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2KgoO2JbkKN; Tue, 10 Mar 2009 09:56:14 +0000 (GMT) Received: from [192.168.3.55] (unknown [192.168.3.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.newbay.com (Postfix) with ESMTP id D44D410041603; Tue, 10 Mar 2009 09:56:14 +0000 (GMT) Message-ID: <49B63954.5080105@cs.tcd.ie> Date: Tue, 10 Mar 2009 09:56:36 +0000 From: Stephen Farrell User-Agent: Thunderbird 2.0.0.16 (X11/20080707) MIME-Version: 1.0 To: Eran Hammer-Lahav References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 09:56:06 -0000 Basic or Digest would, I think, represent the consumer authenticating as itself and could in fact be mixed with the consumer passing on the user's credentials in order to get an access token. (That was explicitly called out in -00 but removed here since we bumped the security level somewhat. Could add it back though.) So, at least for the aggregator use case, I think these are a) semantically different and b) might even be used at the same time and so shouldn't be mixed. I could imagine however an option for a user agent to use Basic or Digest in an exchange that'd result in acquisition of an access token. (Which is I guess what your blog post below is about.) But since that'd require a change to the browser to be generally useful we didn't go there. I'd have to think about whether that'd work for mobile use cases, but I suspect that the requirement for two round-trips'd work against it there. S. Eran Hammer-Lahav wrote: > Here's a silly question, why not just use HTTP Basic or Digest auth to accomplish the same thing? Ask for a token using the actual resource owner's server credentials (username and password) and, well, get one. > > Am I missing something? > > More ideas in http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redirection-flow.html > > EHL > > -----Original Message----- > From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org > Sent: Monday, March 09, 2009 12:00 PM > To: i-d-announce@ietf.org > Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > Title : OAuth Access Tokens using credentials > Author(s) : B. hOra, S. Farrell > Filename : draft-dehora-farrell-oauth-accesstoken-creds-01.txt > Pages : 13 > Date : 2009-03-09 > > OAuth Access Tokens using credentials is a technique for allowing user agents to obtain an OAuth access token on behalf of a user without requiring user intervention or HTTP redirection to a browser. > OAuth itself is documented in the OAuth Core 1.0 Specification.Editorial Note > > To provide feedback on this Internet-Draft, email the authors. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accesstoken-creds-01.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. > > > ------------------------------------------------------------------------ > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From GFFletch@aol.com Tue Mar 10 08:07:01 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECB1C3A6908 for ; Tue, 10 Mar 2009 08:07:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_84=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2M3pD2KaUZh for ; Tue, 10 Mar 2009 08:06:55 -0700 (PDT) Received: from imo-m13.mail.aol.com (imo-m13.mx.aol.com [64.12.143.101]) by core3.amsl.com (Postfix) with ESMTP id 48CB93A67ED for ; Tue, 10 Mar 2009 08:06:55 -0700 (PDT) Received: from GFFletch@aol.com by imo-m13.mx.aol.com (mail_out_v39.1.) id 7.ced.520dfa64 (37579); Tue, 10 Mar 2009 11:07:23 -0400 (EDT) Received: from palantir.local ([10.181.74.124]) by cia-mb05.mx.aol.com (v123.3) with ESMTP id MAILCIAMB054-92cb49b6822a60; Tue, 10 Mar 2009 11:07:23 -0400 Message-ID: <49B6822A.1050002@aol.com> Date: Tue, 10 Mar 2009 11:07:22 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Eran Hammer-Lahav References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AOL-IP: 10.181.74.124 X-Mailer: Unknown (No Version) Cc: "ietf-http-wg@w3.org Group" , "oauth@ietf.org" Subject: Re: [oauth] OAuth and HTTP proxies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 15:07:01 -0000 I checked and both Host and Authorization MUST be passed through unchanged by proxies. So from a signature perspective that will work fine for HTTP 1.1 requests (as they require the presence of the Host header). For proxies that accept HTTP 1.0 requests, they SHOULD add the Host header based on the received hostname:port in the proxied URI. Given that the hostname:port values must be normalized before being added to the SBS, this should not break the signature by the downstream service. One issue with OAuth and proxies is that the responses are not signed. So while the request to the "server" is protected, the response from the server is not. This means that all responses are subject to MITM attacks by the proxies. If response signing is added, then proxies can also change the content encoding of the response, so all content "decoding" must be done before processing the entity body to construct the SBS. Thanks, George Eran Hammer-Lahav wrote: > Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies? > > OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else. > > EHL > > [1] http://tools.ietf.org/html/draft-hammer-oauth-01 > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > From eran@hueniverse.com Tue Mar 10 08:24:12 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 505FE3A6837 for ; Tue, 10 Mar 2009 08:24:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.974 X-Spam-Level: X-Spam-Status: No, score=-2.974 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMXv4Cc0NQvu for ; Tue, 10 Mar 2009 08:24:11 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 6C7593A65A5 for ; Tue, 10 Mar 2009 08:24:11 -0700 (PDT) Received: (qmail 9784 invoked from network); 10 Mar 2009 15:24:45 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 15:24:45 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 10 Mar 2009 08:24:26 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Tue, 10 Mar 2009 08:24:40 -0700 Thread-Topic: 74th IETF - Early Bird Cutoff Thread-Index: AcmhkRFERxdNhnVKTySwvqvZjdH4pwAAznyA Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6F24@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [oauth] FW: 74th IETF - Early Bird Cutoff X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 15:24:12 -0000 In case you are planning to attend but have yet registered... EHL -----Original Message----- From: ietf-announce-bounces@ietf.org [mailto:ietf-announce-bounces@ietf.org= ] On Behalf Of IETF Secretariat Sent: Tuesday, March 10, 2009 8:00 AM To: IETF Announcement list Cc: irsg@isi.edu; wgchairs@ietf.org; bofchairs@ietf.org Subject: 74th IETF - Early Bird Cutoff=20 74th IETF Meeting San Francisco, CA March 22-27, 2009 Host: Juniper Early-Bird registration cutoff is this Friday, March 13 at 17:00 PT (24:00 UTC). After that time, the registration fee will increase by $150 USD to $785 USD. Online registration for the IETF meeting is at: http://www.ietf.org/meetings/74/ Be sure to make your hotel reservation at the Hilton San Francisco. Hotel information can be found at: http://www.ietf.org/meetings/74/hotels.html The social event will be held at the California Academy of Sciences, more information can be found at: http://www.ietf.org/meetings/74/social_74 New requirements for travel to USA for Visa Waiver Program Participants. Additional information can be found on our web site at: http://www.ietf.org/meetings/74/visa-info.html or you can go directly to ESTA (Electronic System for Travel Authorization) http://cbp.gov/xp/cgov/travel/id_visa/esta/=20 Only 12 days until the San Francisco IETF!=20 _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce From GFFletch@aol.com Tue Mar 10 08:57:07 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13DC13A67C0 for ; Tue, 10 Mar 2009 08:57:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00fFe+bMK9PO for ; Tue, 10 Mar 2009 08:57:01 -0700 (PDT) Received: from imo-d20.mx.aol.com (imo-d20.mx.aol.com [205.188.139.136]) by core3.amsl.com (Postfix) with ESMTP id 39DBF3A6AD6 for ; Tue, 10 Mar 2009 08:57:01 -0700 (PDT) Received: from GFFletch@aol.com by imo-d20.mx.aol.com (mail_out_v39.1.) id i.cb9.44468f1c (37190); Tue, 10 Mar 2009 11:57:22 -0400 (EDT) Received: from palantir.local ([10.181.74.124]) by cia-ma05.mx.aol.com (v123.3) with ESMTP id MAILCIAMA058-914649b68de124; Tue, 10 Mar 2009 11:57:21 -0400 Message-ID: <49B68DE1.5090504@aol.com> Date: Tue, 10 Mar 2009 11:57:21 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Stephen Farrell References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> In-Reply-To: <49B63954.5080105@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AOL-IP: 10.181.74.124 X-Mailer: Unknown (No Version) Cc: "oauth@ietf.org" Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 15:57:07 -0000 A few comments on this spec... Would a viable addition to this current specification be to allow the access token to be constructed from the username and password? (e.g. access token key == username, access token secret == password). This allows the password to not be sent in the clear over a "mutally-authenticated transport layer". I realize that using the password in this way requires the server to have a stored copy of the clear text password, but it seems like allowing this mechanism could reduce the requirement on the "mutally-authenticated transport layer". And may be viable and preferred in some circumstances. Also, in OAuth each part of the flow has a defined endpoint. I didn't see that defined in this spec. What about defining the extension to have a specific endpoint 'client_auth' that can be discovered via XRDS? Thanks, George Stephen Farrell wrote: > Basic or Digest would, I think, represent the consumer > authenticating as itself and could in fact be mixed with > the consumer passing on the user's credentials in order > to get an access token. (That was explicitly called out > in -00 but removed here since we bumped the security > level somewhat. Could add it back though.) > > So, at least for the aggregator use case, I think these > are a) semantically different and b) might even be used > at the same time and so shouldn't be mixed. > > I could imagine however an option for a user agent to > use Basic or Digest in an exchange that'd result in > acquisition of an access token. (Which is I guess what > your blog post below is about.) But since that'd require > a change to the browser to be generally useful we didn't > go there. I'd have to think about whether that'd work > for mobile use cases, but I suspect that the requirement > for two round-trips'd work against it there. > > S. > > Eran Hammer-Lahav wrote: > >> Here's a silly question, why not just use HTTP Basic or Digest auth to accomplish the same thing? Ask for a token using the actual resource owner's server credentials (username and password) and, well, get one. >> >> Am I missing something? >> >> More ideas in http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redirection-flow.html >> >> EHL >> >> -----Original Message----- >> From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org >> Sent: Monday, March 09, 2009 12:00 PM >> To: i-d-announce@ietf.org >> Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> >> Title : OAuth Access Tokens using credentials >> Author(s) : B. hOra, S. Farrell >> Filename : draft-dehora-farrell-oauth-accesstoken-creds-01.txt >> Pages : 13 >> Date : 2009-03-09 >> >> OAuth Access Tokens using credentials is a technique for allowing user agents to obtain an OAuth access token on behalf of a user without requiring user intervention or HTTP redirection to a browser. >> OAuth itself is documented in the OAuth Core 1.0 Specification.Editorial Note >> >> To provide feedback on this Internet-Draft, email the authors. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accesstoken-creds-01.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > From onyxraven@gmail.com Tue Mar 10 21:01:40 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8FBD3A68A8 for ; Tue, 10 Mar 2009 21:01:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.601 X-Spam-Level: * X-Spam-Status: No, score=1.601 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_IS_IT_OUR_ACCOUNT=4.2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA2lJV4NQKfz for ; Tue, 10 Mar 2009 21:01:39 -0700 (PDT) Received: from mail-gx0-f167.google.com (mail-gx0-f167.google.com [209.85.217.167]) by core3.amsl.com (Postfix) with ESMTP id AD1553A681D for ; Tue, 10 Mar 2009 21:01:35 -0700 (PDT) Received: by gxk11 with SMTP id 11so1698195gxk.13 for ; Tue, 10 Mar 2009 21:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=B1r9wIY+InapkEl8E0O2+RsUPbu3qA1U+6q7LjOaru4=; b=kQK+frkmLxOqkarNGrchW+uwWOlDUcDs8DRjFwypKdXyL/s1r6t00ru0v/dOLKCSuc nvZcW0EJ3U3BN+ihSQQq3QNC2lr8nmeNve2WMkmQWJy937BhHX8X3W+GPyd1u0Fgt86N McML/56IzXCPGI/GMZ8BUTy0F0xLEixYcosr8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aQ5lTmAnYle8aAybGVx6U4FgJufzD2I43cRKQ5nlNtpOjCvOHkq581tqqp9HyusZ0i pMFHKcC3M0UGJryOZSqbN60C0mJfUFFU0MZoV8dxBQHS2Pv6aNEp1+F360bKxaR2mOUI bf9EUPQ+/68UYfQ6WpRoZLUczTlkjmmHb9Zr0= MIME-Version: 1.0 Received: by 10.151.42.6 with SMTP id u6mr13101492ybj.231.1236744130947; Tue, 10 Mar 2009 21:02:10 -0700 (PDT) In-Reply-To: <49B68DE1.5090504@aol.com> References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> <49B68DE1.5090504@aol.com> Date: Tue, 10 Mar 2009 22:02:10 -0600 Message-ID: From: Onyx Raven To: George Fletcher Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "oauth@ietf.org" Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 04:01:41 -0000 I think I would rather see an exchange for a real access token as is in the spec. This way, the provider can easily change backends, and the consumer can cache the credentials without any directly-derived data. For consumers who for one reason or another just cannot do the web redirect dance, we at Photobucket have been doing a 'direct login' which exchanges username and hashed password for access token credentials, and it is only given for 'known' partners. We've been clear in our licensing of the method that user-agents nor consumers should cache the user inputs, but the access tokens instead. Mobile and device consumers are already using it. Its not basic/digest, its a specific REST POST, but its in the same spirit as the spec. IIRC, when I was first implementing OAuth SP a year ago, there were some example use cases where the Consumer/UserAgent could request the temporary token, and present it to the user to enter on a different channel. I am reminded that this is essentially the way Netflix device activation works. You get the activation key, and then on your PC, you login to your account on the provider and enter the key. That signs the request, and back on the device, it either waits for a button-press to attempt to proceed, or auto-checks the key to see if it's signed. The device can then complete the oauth access token procedure. This seems to be a convenient way of obtaining an access token, which is fully supported by the current OAuth Core spec if implemented properly. I know that's not the direct intention of the spec in the subject, but it is an alternative. Back to the spec in the subject - aside from the blow question about rfc2617 HTTP Basic (or even Digest), is the current oauth extension parameter format of using 'xoauth_' not used anymore? On Tue, Mar 10, 2009 at 9:57 AM, George Fletcher wrote: > A few comments on this spec... > > Would a viable addition to this current specification be to allow the acc= ess > token to be constructed from the username and password? (e.g. access toke= n > key =3D=3D username, access token secret =3D=3D password). > > This allows the password to not be sent in the clear over a > "mutally-authenticated transport layer". I realize that using the passwor= d > in this way requires the server to have a stored copy of the clear text > password, but it seems like allowing this mechanism could reduce the > requirement on the "mutally-authenticated transport layer". And may be > viable and preferred in some circumstances. > > Also, in OAuth each part of the flow has a defined endpoint. I didn't see > that defined in this spec. What about defining the extension to have a > specific endpoint 'client_auth' that can be discovered via XRDS? > > Thanks, > George > > Stephen Farrell wrote: >> >> Basic or Digest would, I think, represent the consumer >> authenticating as itself and could in fact be mixed with >> the consumer passing on the user's credentials in order >> to get an access token. (That was explicitly called out >> in -00 but removed here since we bumped the security >> level somewhat. Could add it back though.) >> >> So, at least for the aggregator use case, I think these >> are a) semantically different and b) might even be used >> at the same time and so shouldn't be mixed. >> >> I could imagine however an option for a user agent to >> use Basic or Digest in an exchange that'd result in >> acquisition of an access token. (Which is I guess what >> your blog post below is about.) But since that'd require >> a change to the browser to be generally useful we didn't >> go there. I'd have to think about whether that'd work >> for mobile use cases, but I suspect that the requirement >> for two round-trips'd work against it there. >> >> S. >> >> Eran Hammer-Lahav wrote: >> >>> >>> Here's a silly question, why not just use HTTP Basic or Digest auth to >>> accomplish the same thing? Ask for a token using the actual resource ow= ner's >>> server credentials (username and password) and, well, get one. >>> >>> Am I missing something? >>> >>> More ideas in >>> http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redir= ection-flow.html >>> >>> EHL >>> >>> -----Original Message----- >>> From: i-d-announce-bounces@ietf.org >>> [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@iet= f.org >>> Sent: Monday, March 09, 2009 12:00 PM >>> To: i-d-announce@ietf.org >>> Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> >>> =C2=A0Title =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : OAuth Access Tokens us= ing credentials >>> =C2=A0Author(s) =C2=A0 =C2=A0 =C2=A0 : B. hOra, S. Farrell >>> =C2=A0Filename =C2=A0 =C2=A0 =C2=A0 =C2=A0: draft-dehora-farrell-oauth-= accesstoken-creds-01.txt >>> =C2=A0Pages =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : 13 >>> =C2=A0Date =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: 2009-03-09 >>> >>> OAuth Access Tokens using credentials is a technique for allowing user >>> agents to obtain an OAuth access token on behalf of a user without requ= iring >>> user intervention or HTTP redirection to a browser. >>> OAuth itself is documented in the OAuth Core 1.0 Specification.Editoria= l >>> Note >>> >>> To provide feedback on this Internet-Draft, email the authors. >>> >>> A URL for this Internet-Draft is: >>> >>> http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accessto= ken-creds-01.txt >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> Below is the data which will enable a MIME compliant mail reader >>> implementation to automatically retrieve the ASCII version of the >>> Internet-Draft. >>> >>> >>> -----------------------------------------------------------------------= - >>> >>> _______________________________________________ >>> oauth mailing list >>> oauth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From onyxraven@gmail.com Tue Mar 10 21:15:48 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 186BA3A689A for ; Tue, 10 Mar 2009 21:15:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.601 X-Spam-Level: * X-Spam-Status: No, score=1.601 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_IS_IT_OUR_ACCOUNT=4.2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9+cIOaj1WIU for ; Tue, 10 Mar 2009 21:15:47 -0700 (PDT) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by core3.amsl.com (Postfix) with ESMTP id 1C4B93A685D for ; Tue, 10 Mar 2009 21:15:46 -0700 (PDT) Received: by yw-out-2324.google.com with SMTP id 5so466119ywh.49 for ; Tue, 10 Mar 2009 21:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=ymkQrEluVnNzB8G0Mup9g/VMd0yAh0Ac+F2dl7FA9N0=; b=j3eojLZfU4sRjqVvgQs5omWcOE172+Zb4exJzDfAaMsrFxPG/2j/+6S6YWSmaNxwcR JROEdNZZoaL/CdJqlWFF5khaoTSARhyTsDjeMGdDoGytcuvpXaGT7WxkbsBSxujb/n1j vzR87X1sPUxmfNiIrNmzjBDOG85AK6BMqyEBI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=cEgwhDKtozR0sWlUqqmwqdGFVrLiJio6ZrkgfkaNfBfWik1tDBKIhIeawtHKs7P9O4 yI4AW0Sdqo6OmFBh06A3JIgzXtT3kjjPxJ1g6DPTJjQ7/etKDy/uJxP7ses1X4v5HzlJ cu9L4o64racAK6eVk+tEqZ/8EKT1bazkuVFBg= MIME-Version: 1.0 Sender: onyxraven@gmail.com Received: by 10.150.51.6 with SMTP id y6mr14298099yby.129.1236744982509; Tue, 10 Mar 2009 21:16:22 -0700 (PDT) In-Reply-To: References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> <49B68DE1.5090504@aol.com> Date: Tue, 10 Mar 2009 22:16:22 -0600 X-Google-Sender-Auth: 038a68c3ecf62541 Message-ID: From: Justin Hart To: George Fletcher Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "oauth@ietf.org" Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 04:15:48 -0000 Sorry, I should use my real-name identity for the list here. Anyway, I realize that what I describe below is sort of the compliment of the 'Valet key' and similar to the approval-queue as described in the blog post below. If I'm not missing any pieces, I think its a fully viable alternative. I'm looking to implement at least one of these methods as a non-login-based alternative to the web redirects (avoiding direct auth) for devices for Photobucket. I sort of like the 'activation key' method, as below, myself. On Tue, Mar 10, 2009 at 10:02 PM, Onyx Raven wrote: > IIRC, when I was first implementing OAuth SP a year ago, there were > some example use cases where the Consumer/UserAgent could request the > temporary token, and present it to the user to enter on a different > channel. =C2=A0I am reminded that this is essentially the way Netflix > device activation works. =C2=A0You get the activation key, and then on yo= ur > PC, you login to your account on the provider and enter the key. =C2=A0Th= at > signs the request, and back on the device, it either waits for a > button-press to attempt to proceed, or auto-checks the key to see if > it's signed. =C2=A0The device can then complete the oauth access token > procedure. =C2=A0This seems to be a convenient way of obtaining an access > token, which is fully supported by the current OAuth Core spec if > implemented properly. =C2=A0I know that's not the direct intention of the > spec in the subject, but it is an alternative. > > On Tue, Mar 10, 2009 at 9:57 AM, George Fletcher wrote= : >> >> Stephen Farrell wrote: >>> >>> Eran Hammer-Lahav wrote: >>>> >>>> More ideas in >>>> http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redi= rection-flow.html From eran@hueniverse.com Tue Mar 10 22:11:32 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5E593A6A12 for ; Tue, 10 Mar 2009 22:11:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.932 X-Spam-Level: X-Spam-Status: No, score=-2.932 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+tGs4Y3260w for ; Tue, 10 Mar 2009 22:11:31 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id AAA7C3A6784 for ; Tue, 10 Mar 2009 22:11:31 -0700 (PDT) Received: (qmail 28914 invoked from network); 11 Mar 2009 05:12:06 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 11 Mar 2009 05:12:06 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 10 Mar 2009 22:12:06 -0700 From: Eran Hammer-Lahav To: Onyx Raven , George Fletcher Date: Tue, 10 Mar 2009 22:12:06 -0700 Thread-Topic: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt Thread-Index: Acmh/ixE9ch6XDMrQfKbDKsBGmH2hQACbyEg Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6F83@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> <49B68DE1.5090504@aol.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 05:11:33 -0000 PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBvYXV0aC1ib3VuY2VzQGlldGYu b3JnIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmDQo+IE9mIE9ueXgg UmF2ZW4NCj4gU2VudDogVHVlc2RheSwgTWFyY2ggMTAsIDIwMDkgOTowMiBQTQ0KDQo+IEJhY2sg dG8gdGhlIHNwZWMgaW4gdGhlIHN1YmplY3QgLSBhc2lkZSBmcm9tIHRoZSBibG93IHF1ZXN0aW9u IGFib3V0DQo+IHJmYzI2MTcgSFRUUCBCYXNpYyAob3IgZXZlbiBEaWdlc3QpLCBpcyB0aGUgY3Vy cmVudCBvYXV0aCBleHRlbnNpb24NCj4gcGFyYW1ldGVyIGZvcm1hdCBvZiB1c2luZyAneG9hdXRo Xycgbm90IHVzZWQgYW55bW9yZT8NCg0KQXMgdGhlIHBlcnNvbiB3aG8gc3VnZ2VzdGVkIGl0IGlu IHRoZSBmaXJzdCBwbGFjZSwgSSB3b3VsZCBsaWtlIHVzIHRvIHN0b3AgdXNpbmcgdGhlIHhvYXV0 aF8gcHJlZml4LiBUaGUgc3BlYyBsYW5ndWFnZSBhY3R1YWxseSBhbGxvd3MgdXNpbmcgb2F1dGhf IGZvciBwcm90b2NvbCBleHRlbnNpb25zIHNpbmNlIHRlY2huaWNhbGx5LCB0aGV5IGFyZSBub3Qg c2VydmVyLXNwZWNpZmljIGlmIHRoZXkgYXJlIGRvY3VtZW50ZWQgYXMgc3RhbmRhcmQgZXh0ZW50 aW9ucy4NCg0KT25lIG9mIHRoZSBiZW5lZml0cyBvZiB0aGUgSUVURiBwcm9jZXNzIGlzIHRoYXQg d2UgY2FuIGVhc2lseSBzZXR1cCBhbiBJQU5BIHJlZ2lzdHJ5IGZvciBwZW9wbGUgdG8gcmVnaXN0 ZXIgdGhlaXIgZXh0ZW5zaW9uIHBhcmFtZXRlcnMuIFRoaXMgd2lsbCByZW1vdmUgdGhlIGlzc3Vl IG9mIHBhcmFtZXRlciBjb2xsaXNpb24gYW5kIHdpbGwgYWxzbyBlbmNvdXJhZ2UgcGVvcGxlIHRv IHdyaXRlIHNwZWNzIGZvciB0aGVpciBleHRlbnRpb25zLg0KDQpFSEwNCg== From Hannes.Tschofenig@gmx.net Wed Mar 11 23:34:53 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E31E3A67D0 for ; Wed, 11 Mar 2009 23:34:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.364 X-Spam-Level: X-Spam-Status: No, score=-2.364 tagged_above=-999 required=5 tests=[AWL=0.235, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QLTpWlbnY34 for ; Wed, 11 Mar 2009 23:34:51 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 9D0273A67B6 for ; Wed, 11 Mar 2009 23:34:50 -0700 (PDT) Received: (qmail invoked by alias); 12 Mar 2009 06:35:26 -0000 Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp037) with SMTP; 12 Mar 2009 07:35:26 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX186kZ9/ZWE69R7VzWQlUv81qQcWJReyjo9nSHHQ36 rU4et+K33jN0yS From: "Hannes Tschofenig" To: Date: Thu, 12 Mar 2009 08:36:32 +0200 Message-ID: <093d01c9a2dc$e26c6830$0201a8c0@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acmi3OG+RLQ0DFWoStq4P6Gl1vMt+A== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.57 Subject: [oauth] Agenda X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 06:34:53 -0000 We have put a first version of the agenda together (see below): http://www.ietf.org/proceedings/09mar/agenda/oauth.txt We would again like to stress one point: If you are not going to read draft-hammer-oauth-01.txt then the meeting will not be beneficial to you. We are not planning to give an OAuth tutorial, as it was done with the BOF in Minneapolis. Ciao Hannes & Blaine ---------------------------------------------------------------------------- --- Open Web authentication BOF =========================== MONDAY, March 23, 2009 1300-1500 Afternoon Session I Room: Continental 4 * Charter Status, Agenda Bashing (Hannes, Blaine) Note: We have finished the charter discussion on the mailing list already. Hence, we do not plan to discuss it again during the meeting. * The OAuth Core Protocol (Eran) http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt Note: The main part of our meeting will be spent with a discussion about what can be improved with the OAuth protocol. You could call it open issues based on review feedback. >>>> IF YOU DON'T READ draft-hammer-oauth-01.txt THEN YOUR EXPERIENCE WILL BE LIMITED. <<<< * Conclusion and next steps (Hannes, Blaine) From hubertlvg@gmail.com Wed Mar 11 23:53:46 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 562923A66B4 for ; Wed, 11 Mar 2009 23:53:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBYgyrqqKzpW for ; Wed, 11 Mar 2009 23:53:45 -0700 (PDT) Received: from mail-ew0-f177.google.com (mail-ew0-f177.google.com [209.85.219.177]) by core3.amsl.com (Postfix) with ESMTP id 1F9DA3A68CD for ; Wed, 11 Mar 2009 23:53:44 -0700 (PDT) Received: by ewy25 with SMTP id 25so249073ewy.37 for ; Wed, 11 Mar 2009 23:54:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=NWofp5LnACjHKNCCdGuf3gATlTYzjXQF8Sjsci3kVNY=; b=gPUf9M6uipFlFnrGgVBdEvQ+FmYLE7qThh1LM+G2e3D3RAPmNyhUCuffzCDoWLGp7H KiOryxtuG855bdL71FwelqFIksSNXLthjBRZ5xVqO1TNBNzvQv7/RjQ2LnscOLzpD4xC rUWdC9WbCQ3u1op1KOhQZAvyFZlgHW3nghp70= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=CtrB3mRGVd79OxH+IcX+RX1YHwZq3vl8J2lO0Zy/kdHdoIqDOq6yvfbg5h1KgiZpln s8Edr+uZaKDlGrw0RK2gst4YEf71S7QF/5OAgvxuMl4VEbhR4seLacgVot39njLXz7jX AqDPESP9uk4aGogceO28NuQF1VJNvuou2hVWU= MIME-Version: 1.0 Received: by 10.210.54.15 with SMTP id c15mr2073966eba.25.1236840861351; Wed, 11 Mar 2009 23:54:21 -0700 (PDT) In-Reply-To: <093d01c9a2dc$e26c6830$0201a8c0@nsnintra.net> References: <093d01c9a2dc$e26c6830$0201a8c0@nsnintra.net> Date: Thu, 12 Mar 2009 07:54:21 +0100 Message-ID: <6c0fd2bc0903112354i289e88a4qd75606d761739741@mail.gmail.com> From: Hubert Le Van Gong To: "oauth@ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [oauth] Agenda X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 06:53:46 -0000 Will there be a conference call number for those of us who can't attend in person (or can't afford $700+)? Cheers, Hubert On Thu, Mar 12, 2009 at 7:36 AM, Hannes Tschofenig wrote: > We have put a first version of the agenda together (see below): > http://www.ietf.org/proceedings/09mar/agenda/oauth.txt > > We would again like to stress one point: > > =A0 =A0 If you are not going to read draft-hammer-oauth-01.txt > =A0 =A0 then the meeting will not be beneficial to you. > =A0 =A0 We are not planning to give an OAuth tutorial, as it was > =A0 =A0 done with the BOF in Minneapolis. > > Ciao > Hannes & Blaine > > -------------------------------------------------------------------------= --- > --- > > Open Web authentication BOF > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > > > MONDAY, March 23, 2009 > 1300-1500 Afternoon Session I > Room: Continental 4 > > > * Charter Status, Agenda Bashing (Hannes, Blaine) > > =A0Note: We have finished the charter discussion on the mailing list alre= ady. > =A0 =A0 =A0 Hence, we do not plan to discuss it again during the meeting. > > * The OAuth Core Protocol (Eran) > http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt > > =A0Note: The main part of our meeting will be spent with a discussion abo= ut > =A0 =A0 =A0 what can be improved with the OAuth protocol. You could call = it > =A0 =A0 =A0 =A0 =A0 open issues based on review feedback. > > =A0>>>> IF YOU DON'T READ draft-hammer-oauth-01.txt THEN YOUR EXPERIENCE = WILL > BE > =A0 =A0 =A0LIMITED. <<<< > > * Conclusion and next steps (Hannes, Blaine) > > > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From aaron@serendipity.cx Thu Mar 12 00:44:58 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F35D23A6A9A for ; Thu, 12 Mar 2009 00:44:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hflv6BlJta8B for ; Thu, 12 Mar 2009 00:44:57 -0700 (PDT) Received: from mail.serendipity.cx (serendipity.palo-alto.ca.us [66.92.2.87]) by core3.amsl.com (Postfix) with ESMTP id 16E343A6AD7 for ; Thu, 12 Mar 2009 00:44:57 -0700 (PDT) Received: from serendipity.cx (unknown [10.10.10.34]) by mail.serendipity.cx (Postfix) with ESMTP id 3D6BE16CE; Thu, 12 Mar 2009 00:53:43 -0700 (PDT) MIME-Version: 1.0 Date: Thu, 12 Mar 2009 00:52:15 -0700 From: Aaron Stone To: Hubert Le Van Gong In-Reply-To: <6c0fd2bc0903112354i289e88a4qd75606d761739741@mail.gmail.com> References: <093d01c9a2dc$e26c6830$0201a8c0@nsnintra.net> <6c0fd2bc0903112354i289e88a4qd75606d761739741@mail.gmail.com> Message-ID: X-Sender: aaron@serendipity.cx User-Agent: RoundCube Webmail/0.2 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Cc: oauth@ietf.org Subject: Re: [oauth] Agenda X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 07:44:58 -0000 There will be live audio streaming and a Jabber room for each session. Links from the full schedule are posted on the IETF tools site (I don't see the audio or agenda links yet, but they'll appear as the preparations come together): http://tools.ietf.org/agenda/74/ Those who are joining by Jabber are encouraged to listen in on the audio stream. If you don't hear your comments read aloud, just ask and someone will read into the mic for you. Any comments you make are considered to be IETF Contributions: http://www.ietf.org/NOTEWELL.html Please tune in at 13:00 PDT __UTC-7__ on Monday, March 23 2009. Remember that the US now switches to daylight time in early March! Aaron On Thu, 12 Mar 2009 07:54:21 +0100, Hubert Le Van Gong wrote: > Will there be a conference call number for those of us who can't > attend in person (or can't afford $700+)? > > Cheers, > Hubert > > > > On Thu, Mar 12, 2009 at 7:36 AM, Hannes Tschofenig > wrote: >> We have put a first version of the agenda together (see below): >> http://www.ietf.org/proceedings/09mar/agenda/oauth.txt >> >> We would again like to stress one point: >> >>     If you are not going to read draft-hammer-oauth-01.txt >>     then the meeting will not be beneficial to you. >>     We are not planning to give an OAuth tutorial, as it was >>     done with the BOF in Minneapolis. >> >> Ciao >> Hannes & Blaine >> >> ---------------------------------------------------------------------------- >> --- >> >> Open Web authentication BOF >> =========================== >> >> >> MONDAY, March 23, 2009 >> 1300-1500 Afternoon Session I >> Room: Continental 4 >> >> >> * Charter Status, Agenda Bashing (Hannes, Blaine) >> >>  Note: We have finished the charter discussion on the mailing list >> already. >>       Hence, we do not plan to discuss it again during the meeting. >> >> * The OAuth Core Protocol (Eran) >> http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt >> >>  Note: The main part of our meeting will be spent with a discussion >> about >>       what can be improved with the OAuth protocol. You could call it >>           open issues based on review feedback. >> >>  >>>> IF YOU DON'T READ draft-hammer-oauth-01.txt THEN YOUR EXPERIENCE >> WILL >> BE >>      LIMITED. <<<< >> >> * Conclusion and next steps (Hannes, Blaine) >> >> >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From Hannes.Tschofenig@gmx.net Mon Mar 23 07:33:01 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CAEA3A67DD for ; Mon, 23 Mar 2009 07:33:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.358 X-Spam-Level: X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBGsxNCwcEzV for ; Mon, 23 Mar 2009 07:33:00 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id B9F673A6B24 for ; Mon, 23 Mar 2009 07:32:51 -0700 (PDT) Received: (qmail invoked by alias); 23 Mar 2009 14:33:40 -0000 Received: from dhcp-43b3.meeting.ietf.org (EHLO 4FIL42860) [130.129.67.179] by mail.gmx.net (mp065) with SMTP; 23 Mar 2009 15:33:40 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX1+2rYZac6O2cSd6zExc/8a1RxKkK48a3CZ11E4XOp 4lNoRs8emSROOG From: "Hannes Tschofenig" To: Date: Mon, 23 Mar 2009 07:34:52 -0700 Message-ID: <007c01c9abc4$88dc2bc0$f7148182@nsnintra.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcmqeCwiBTbkqSCdR1KGZF0ZrSNq2ABSy4LQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.6 Subject: [oauth] FW: Audio Streams for IETF 74 in San Francisco X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 14:33:01 -0000 FYI Jabber for the meeting: oauth@jabber.ietf.org >-----Original Message----- >From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On >Behalf Of Morgan Sackett >Sent: 21 March, 2009 15:55 >To: ietf@ietf.org >Subject: Audio Streams for IETF 74 in San Francisco > >There will be MP3 audio streams of the meetings happening in >the breakout rooms. Specifically these are > >Continental 1&2 >Continental 3 >Continental 4 >Continental 5 >Continental 6 >Imperial A >Imperial B >Franciscan A > >Please refer to the online agenda at >http://tools.ietf.org/agenda/74/ to find a link to the stream >for each session. > >If there are concerns about the audio streams, there are a few >ways to get our attention. Via email either >audio@meeting.ietf.org, or noc@meeting.ietf.org . Via XMPP at >noc@jabber.ietf.org. > >Morgan Sackett >VP of Engineering > >VeriLAN Event Services, Inc. >215 SE Morrison Street >Portland, OR 97214 > >Tel: 503 907-1415 >Fax: 503 224-8833 > >msackett@verilan.com >www.verilan.com > > >This e-mail contains proprietary information and may be confidential. >If you are not the intended recipient of this e-mail, you are >hereby notified that any dissemination, distribution or >copying of this message is strictly prohibited. If you >received this message in error, please delete it immediately. > > > > >_______________________________________________ >Ietf mailing list >Ietf@ietf.org >https://www.ietf.org/mailman/listinfo/ietf >