From leifj@it.su.se Fri May 1 08:26:47 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D6CF3A725C for ; Fri, 1 May 2009 08:26:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.249 X-Spam-Level: X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSVBZyIOOZ+O for ; Fri, 1 May 2009 08:26:46 -0700 (PDT) Received: from smtp.su.se (smtp3.su.se [130.237.93.228]) by core3.amsl.com (Postfix) with ESMTP id BCB6628C259 for ; Fri, 1 May 2009 08:26:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by smtp.su.se (Postfix) with ESMTP id A215E3BE71; Fri, 1 May 2009 17:27:44 +0200 (CEST) Received: from smtp.su.se ([127.0.0.1]) by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 25947-01-3; Fri, 1 May 2009 17:27:44 +0200 (CEST) Received: from k2.mnt.se (72-255-9-105.client.stsn.net [72.255.9.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.su.se (Postfix) with ESMTP id 158053C169; Fri, 1 May 2009 17:27:43 +0200 (CEST) From: Leif Johansson To: oauth@ietf.org Date: Fri, 1 May 2009 17:27:34 +0200 User-Agent: KMail/1.10.4 (Linux/2.6.27-11-generic; KDE/4.1.4; i686; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7364501.onO1jLpFco"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200905011727.39776.leifj@it.su.se> X-Virus-Scanned: by amavisd-new at smtp.su.se Subject: Re: [oauth] OAuth Security Advisory X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 15:26:47 -0000 --nextPart7364501.onO1jLpFco Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 30 April 2009 00:03:42 Eran Hammer-Lahav wrote: > This list (IETF) has no "jurisdiction" over the Core 1.0 version which is > being addressed on the OAuth public list. Once a solution is proposed, it > will be reflected in the draft-hammer-oauth I-D and will be part of the WG > discussions. > > I did notify the security area but since I am not on their list, not sure > if they discussed it or not. > > EHL Eran, Getting input from the IETF requires trust from the IETF. Getting the IETF to trust you probably means you have a somewhat less formal approach to what information goes where. Involving everyone in what is percieved to=20 be a serious protocol flaw would have cost you next to nothing ...=20 Cheers Leif --nextPart7364501.onO1jLpFco Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkn7FOYACgkQ8Jx8FtbMZncylwCeIrmJ3vkUDebNlBRhFH/wNaIb jU0An2Ha8dcKNFP+AbtAktA+y7ywdUDo =GcZU -----END PGP SIGNATURE----- --nextPart7364501.onO1jLpFco-- From romeda@gmail.com Fri May 1 09:08:23 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC9BF3A6BD6 for ; Fri, 1 May 2009 09:08:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXxP1VjxZdAm for ; Fri, 1 May 2009 09:08:22 -0700 (PDT) Received: from mail-bw0-f163.google.com (mail-bw0-f163.google.com [209.85.218.163]) by core3.amsl.com (Postfix) with ESMTP id 6EF143A7085 for ; Fri, 1 May 2009 09:07:30 -0700 (PDT) Received: by bwz7 with SMTP id 7so2379346bwz.37 for ; Fri, 01 May 2009 09:08:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BmHCWyinMRMwgY+FGu+GlH+H6qvSlbrAdulmNFrDPAY=; b=eqYU0DIbmmxZvKAIqGh4o9kZ11C7gw369c7rO2ihm/gUm6k2nFPzJ2GrOJsbSnDP5V QmBSwDye2XpAKWg9WkF1gMiVJtAf2t2tyBTiq2Rvp+MItj3CPo1yaDK0P8pJ4AjajVfH Gw0gRISpW/MCsMVRRocsck8xtY5Ul8CWpI0Jg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xHV/aM9vk4qjF91SpHFK8D82eO2loKMDzF3p9shus/fdCzppy/weFpS/F9OwCGZIPX Jg+Jcr8uKZw28554cBIoaP5M+Wijsk8P3SM5wggOCM6sGXesWoGwLJ/IZGlNK54b3oVg MazxKjkZWxvUFqPexoMYq9tdmozUkf+ISNJek= MIME-Version: 1.0 Received: by 10.239.135.146 with SMTP id d18mr142009hbd.68.1241194132952; Fri, 01 May 2009 09:08:52 -0700 (PDT) In-Reply-To: <200905011727.39776.leifj@it.su.se> References: <200905011727.39776.leifj@it.su.se> Date: Fri, 1 May 2009 17:08:52 +0100 Message-ID: From: Blaine Cook To: Leif Johansson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [oauth] OAuth Security Advisory X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 16:08:23 -0000 On Fri, May 1, 2009 at 4:27 PM, Leif Johansson wrote: > > Getting input from the IETF requires trust from the IETF. Getting the IETF > to trust you probably means you have a somewhat less formal approach to > what information goes where. Involving everyone in what is percieved to > be a serious protocol flaw would have cost you next to nothing ... My understanding is that Eran's done the correct thing here -- since the OAuth is not yet chartered at the IETF, and the specifications in question are actually different documents, my impression was that it wasn't kosher to start a parallel discussion on this list until after the charter is approved. Rest assured that there's no "formal" approach to providing information. Eran struggled at length to ensure that everyone with a stake in OAuth received the information in a timely fashion, and was in fact commended on his efforts by several tech news outlets. I for one greatly value the IETF's input, and encourage any concerns / comments regarding the immediate situation to be posted here (if that's acceptable given the non-chartered status), on the non-IETF OAuth list (oauth@googlegroups.com), or privately to myself or Eran as above. b. From eran@hueniverse.com Fri May 1 09:26:07 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F66C3A67EB for ; Fri, 1 May 2009 09:26:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.309 X-Spam-Level: X-Spam-Status: No, score=-3.309 tagged_above=-999 required=5 tests=[AWL=-0.710, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUbIFUPvcgA1 for ; Fri, 1 May 2009 09:26:06 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 7AF523A6C38 for ; Fri, 1 May 2009 09:26:06 -0700 (PDT) Received: (qmail 2645 invoked from network); 1 May 2009 16:27:30 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 1 May 2009 16:27:30 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Fri, 1 May 2009 09:27:30 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Fri, 1 May 2009 09:27:24 -0700 Thread-Topic: [oauth] OAuth Security Advisory Thread-Index: AcnKcWG/vrmDLknNQKiwBHDQEuVBOwAB2G3w Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343780AFFEE3@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <200905011727.39776.leifj@it.su.se> In-Reply-To: <200905011727.39776.leifj@it.su.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Subject: Re: [oauth] OAuth Security Advisory X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 16:26:07 -0000 SSBtdXN0IGFkbWl0IHRoYXQgSSBkb24ndCBmdWxseSB1bmRlcnN0YW5kIHdoYXQgeW91IHdyb3Rl Lg0KDQpXZSBmb3VuZCBhIHRocmVhdCBhbmQgdGhlIGNvbW11bml0eSB3aG8gd3JvdGUgdGhlIHNw ZWMgaXMgd29ya2luZyBvbiBhIGZpeC4gV2UgY2hvc2UgYSB2ZW51ZSBmb3IgdGhpcyBkaXNjdXNz aW9uIGJhc2VkIG9uIHdoZXJlIHRoZSBtb3N0IGFjdGl2ZSBhbmQgcmVsZXZhbnQgY29tbXVuaXR5 IHJlc2lkZXMuIEkgYW0gbm90IGludGVyZXN0ZWQgaW4gaGF2aW5nIGEgZnJhY3R1cmVkIGNvbnZl cnNhdGlvbiBvdmVyIG11bHRpcGxlIGxpc3RzLiBUaGF0IGlzIG5vdCAiY29zdCBuZXh0IHRvIG5v dGhpbmciLiBJIGhhdmUgbm90aWZpZWQgZGlmZmVyZW50IGFyZWFzIG9mIHRoZSBJRVRGIGFib3V0 IHRoaXMgYmVjYXVzZSBvZiB0aGUgdXBjb21pbmcgd29yayBhbmQgaW52aXRlZCBwZW9wbGUgdG8g am9pbiB0aGUgZGlzY3Vzc2lvbi4NCg0KSSBoYXZlIG5vIGNsdWUgd2hhdCB5b3VyIHBvaW50IGlz IGFib3V0IHRoZSBJRVRGLCB0cnVzdCwgYW5kIGZvcm1hdCBhcHByb2FjaGVzLg0KDQpBbHNvIGtl ZXAgaW4gbWluZCB0aGF0IHRoZXJlIG11c3Qgbm90IGJlIGFuIGF1dG9tYXRpYyBhc3N1bXB0aW9u IHRoYXQgZXZlcnlvbmUgaW52b2x2ZWQgb3IgdXNpbmcgT0F1dGggQ29yZSAxLjAgaXMgZ29pbmcg dG8gdHJhbnNpdGlvbiBvciBqb2luIHRoZSBJRVRGIGVmZm9ydC4gV2hpbGUgSSBjZXJ0YWlubHkg aW50ZW5kIHRvIGFuZCBob3BlIG90aGVycyB3aWxsIGRvIHRoZSBzYW1lLCB0aGVyZSBpcyBhbiBh Y3RpdmUgY29tbXVuaXR5IHdvcmtpbmcgb24gdGhpcyBhbmQgaXQgaGFzIGl0cyBvd24gd2F5IG9m IGRlYWxpbmcgd2l0aCBpc3N1ZXMgdGhhdCByZWxhdGUgdG8gdGhlaXIgd29yay4gVGhlIHNhbWUg aXMgdHJ1ZSBmb3IgdGhlIElFVEYsIGFuZCBJIGV4cGVjdCB0aGUgUkZDIHZlcnNpb24gb2YgT0F1 dGggdG8gaGFuZGxlIHN1Y2ggY2FzZXMgZGlmZmVyZW50bHkgaW4gdGVybXMgb2Ygd2hlcmUgdGhl IGRpc2N1c3Npb24gd2lsbCBiZSBoZWxkLg0KDQpFSEwNCg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVz c2FnZS0tLS0tDQo+IEZyb206IExlaWYgSm9oYW5zc29uIFttYWlsdG86bGVpZmpAaXQuc3Uuc2Vd DQo+IFNlbnQ6IEZyaWRheSwgTWF5IDAxLCAyMDA5IDg6MjggQU0NCj4gVG86IG9hdXRoQGlldGYu b3JnDQo+IENjOiBFcmFuIEhhbW1lci1MYWhhdjsgSi4gVHJlbnQgQWRhbXMNCj4gU3ViamVjdDog UmU6IFtvYXV0aF0gT0F1dGggU2VjdXJpdHkgQWR2aXNvcnkNCj4gDQo+IE9uIFRodXJzZGF5IDMw IEFwcmlsIDIwMDkgMDA6MDM6NDIgRXJhbiBIYW1tZXItTGFoYXYgd3JvdGU6DQo+ID4gVGhpcyBs aXN0IChJRVRGKSBoYXMgbm8gImp1cmlzZGljdGlvbiIgb3ZlciB0aGUgQ29yZSAxLjAgdmVyc2lv bg0KPiB3aGljaA0KPiA+IGlzIGJlaW5nIGFkZHJlc3NlZCBvbiB0aGUgT0F1dGggcHVibGljIGxp c3QuIE9uY2UgYSBzb2x1dGlvbiBpcw0KPiA+IHByb3Bvc2VkLCBpdCB3aWxsIGJlIHJlZmxlY3Rl ZCBpbiB0aGUgZHJhZnQtaGFtbWVyLW9hdXRoIEktRCBhbmQgd2lsbA0KPiA+IGJlIHBhcnQgb2Yg dGhlIFdHIGRpc2N1c3Npb25zLg0KPiA+DQo+ID4gSSBkaWQgbm90aWZ5IHRoZSBzZWN1cml0eSBh cmVhIGJ1dCBzaW5jZSBJIGFtIG5vdCBvbiB0aGVpciBsaXN0LCBub3QNCj4gPiBzdXJlIGlmIHRo ZXkgZGlzY3Vzc2VkIGl0IG9yIG5vdC4NCj4gPg0KPiA+IEVITA0KPiANCj4gRXJhbiwNCj4gDQo+ IEdldHRpbmcgaW5wdXQgZnJvbSB0aGUgSUVURiByZXF1aXJlcyB0cnVzdCBmcm9tIHRoZSBJRVRG LiBHZXR0aW5nIHRoZQ0KPiBJRVRGIHRvIHRydXN0IHlvdSBwcm9iYWJseSBtZWFucyB5b3UgaGF2 ZSBhIHNvbWV3aGF0IGxlc3MgZm9ybWFsDQo+IGFwcHJvYWNoIHRvIHdoYXQgaW5mb3JtYXRpb24g Z29lcyB3aGVyZS4gSW52b2x2aW5nIGV2ZXJ5b25lIGluIHdoYXQgaXMNCj4gcGVyY2lldmVkIHRv IGJlIGEgc2VyaW91cyBwcm90b2NvbCBmbGF3IHdvdWxkIGhhdmUgY29zdCB5b3UgbmV4dCB0bw0K PiBub3RoaW5nIC4uLg0KPiANCj4gCUNoZWVycyBMZWlmDQo= From eran@hueniverse.com Fri May 1 11:36:23 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0F463A6EBD for ; Fri, 1 May 2009 11:36:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.286 X-Spam-Level: X-Spam-Status: No, score=-3.286 tagged_above=-999 required=5 tests=[AWL=-0.687, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxlkMseJ5Znk for ; Fri, 1 May 2009 11:36:23 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 9D9F33A7254 for ; Fri, 1 May 2009 11:30:50 -0700 (PDT) Received: (qmail 27261 invoked from network); 1 May 2009 18:32:14 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 1 May 2009 18:32:14 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 1 May 2009 11:32:13 -0700 From: Eran Hammer-Lahav To: "oauth@ietf.org" Date: Fri, 1 May 2009 11:32:15 -0700 Thread-Topic: OAuth Core 1.0 fix discussions Thread-Index: AcnKiyaiJadQ3nBRSom4VAxyNA3TQw== Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343780AFFF0E@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-hashedpuzzle: Atwx BVDA BuQs DOYA DRmU EP7V Fh5f Fugf HIch HhPK Hq3n H78Q JCSp J237 J7BR KJfd; 1; bwBhAHUAdABoAEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {85EDCC2B-7EB6-46D1-A134-2C959CD93567}; ZQByAGEAbgBAAGgAdQBlAG4AaQB2AGUAcgBzAGUALgBjAG8AbQA=; Fri, 01 May 2009 18:32:15 GMT; TwBBAHUAdABoACAAQwBvAHIAZQAgADEALgAwACAAZgBpAHgAIABkAGkAcwBjAHUAcwBzAGkAbwBuAHMA x-cr-puzzleid: {85EDCC2B-7EB6-46D1-A134-2C959CD93567} acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [oauth] OAuth Core 1.0 fix discussions X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 18:36:23 -0000 Are taking place here: http://groups.google.com/group/oauth EHL From leifj@it.su.se Sun May 3 01:33:09 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3954B3A6889 for ; Sun, 3 May 2009 01:33:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.57 X-Spam-Level: X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=-1.810, BAYES_05=-1.11, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HF5lBsePOM7m for ; Sun, 3 May 2009 01:33:08 -0700 (PDT) Received: from smtp.su.se (smtp2.su.se [130.237.164.53]) by core3.amsl.com (Postfix) with ESMTP id 41BD13A6784 for ; Sun, 3 May 2009 01:33:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by smtp.su.se (Postfix) with ESMTP id 665365C9B1; Sun, 3 May 2009 10:34:31 +0200 (CEST) X-Virus-Scanned: by amavisd-new at av-in.su.se Received: from smtp.su.se ([127.0.0.1]) by localhost (smtp2.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id M-w2z30liEBh; Sun, 3 May 2009 10:34:30 +0200 (CEST) Received: from k2.mnt.se (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.su.se (Postfix) with ESMTPSA id 444E381A0C; Sun, 3 May 2009 10:34:30 +0200 (CEST) From: Leif Johansson To: "Eran Hammer-Lahav" Date: Sun, 3 May 2009 10:34:18 +0200 User-Agent: KMail/1.10.4 (Linux/2.6.27-11-generic; KDE/4.1.4; i686; ; ) References: <200905011727.39776.leifj@it.su.se> <90C41DD21FB7C64BB94121FBBC2E72343780AFFEE3@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343780AFFEE3@P3PW5EX1MB01.EX1.SECURESERVER.NET> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1290632.zSYn9UFuvY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200905031034.24281.leifj@it.su.se> Cc: "oauth@ietf.org" Subject: Re: [oauth] OAuth Security Advisory X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 May 2009 08:33:09 -0000 --nextPart1290632.zSYn9UFuvY Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 01 May 2009 18:27:24 Eran Hammer-Lahav wrote: > I must admit that I don't fully understand what you wrote. > > We found a threat and the community who wrote the spec is working on a fi= x. > We chose a venue for this discussion based on where the most active and > relevant community resides. I am not interested in having a fractured > conversation over multiple lists. That is not "cost next to nothing". I > have notified different areas of the IETF about this because of the > upcoming work and invited people to join the discussion. > > I have no clue what your point is about the IETF, trust, and format > approaches. > > Also keep in mind that there must not be an automatic assumption that > everyone involved or using OAuth Core 1.0 is going to transition or join > the IETF effort. While I certainly intend to and hope others will do the > same, there is an active community working on this and it has its own way > of dealing with issues that relate to their work. The same is true for the > IETF, and I expect the RFC version of OAuth to handle such cases > differently in terms of where the discussion will be held. I think you read too much into what I wrote. I simply meant that a short=20 note to the IETF list noting that a protocol problem had been discovered=20 and that work was in progress and where dicussions was taking place=20 would have helped people on this list know where to go and what was being done.=20 Cheers Leif --nextPart1290632.zSYn9UFuvY Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkn9VwsACgkQ8Jx8FtbMZneY4QCcDTEtdPTWpjZhTGuAKXtAxX9J VeUAn20GNbWrSJPiKai2Yytuqx+SRtG4 =2a+p -----END PGP SIGNATURE----- --nextPart1290632.zSYn9UFuvY-- From paul.madsen@gmail.com Wed May 13 06:12:01 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6E453A6D0E for ; Wed, 13 May 2009 06:12:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEt+euqR46d7 for ; Wed, 13 May 2009 06:12:00 -0700 (PDT) Received: from mail-px0-f125.google.com (mail-px0-f125.google.com [209.85.216.125]) by core3.amsl.com (Postfix) with ESMTP id 5515D3A6C16 for ; Wed, 13 May 2009 06:12:00 -0700 (PDT) Received: by pxi31 with SMTP id 31so212023pxi.29 for ; Wed, 13 May 2009 06:13:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=VJK5W/K+lCXDXvLJ3eD55vZJRo8ZRQMVqSlHStZd7qM=; b=ZeOWZAfZpWWI3z1nQ1yjnwZdo2bmobgulfNEP8kXNRdB6HyFDGHe4nVq3RehLxWNMP vEFJztpLzVO3zJSnpSvuzFVAONuuOG4o9LuPOfQmu69vhXpeYRgyjHGrwJKcJ2KU7PPN xgCMo7wIQA0LStMQvSp99j1enLhMFx7tSGdfg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=TA2sFQju0vrRgBHMtIV5s+BEfYsPbYAe5O1OtmSDhO0HHTQFZaAX7tvr3ZklkuYv89 EBF883D/JBOnMQPZvwm5RSdfZ6OwonQoHYmCPI1RKUeyveok7dxtApq7y2Fj9KEWJN9Z BxtRqsSocGrGrI2dyXQ+l7qhHoAKV9JIeWr04= Received: by 10.115.48.12 with SMTP id a12mr791241wak.167.1242220410813; Wed, 13 May 2009 06:13:30 -0700 (PDT) Received: from ?192.168.0.193? (CPE0016d3a0e409-CM0012256eb4b4.cpe.net.cable.rogers.com [99.224.67.178]) by mx.google.com with ESMTPS id j39sm1404448waf.45.2009.05.13.06.13.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 13 May 2009 06:13:29 -0700 (PDT) Message-ID: <4A0AC774.3070806@gmail.com> Date: Wed, 13 May 2009 09:13:24 -0400 From: Paul Madsen User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Hannes Tschofenig References: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net> In-Reply-To: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org, Adrian.Farrel@huawei.com Subject: Re: [oauth] OAuth Charter Text (15th April 2009) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2009 13:12:01 -0000 the wording of the example below seems to imply that the photo-sharing site would necessarily support OAuth, but not the printing site paul Hannes Tschofenig wrote: > Open Authentication Protocol (oauth) > > Last Modified: 2009-04-15 > > Chair(s): > > TBD > > Applications Area Director(s): > > Alexey Melnikov > Lisa Dusseault > > Applications Area Advisor: > > TBD > > Mailing Lists: > > https://www.ietf.org/mailman/listinfo/oauth > > Description of Working Group: > > OAuth allows a user to grant a third-party Web site or application access to > the user's resources, without necessarily revealing the user's credentials, > or even the user's identity. For example, a photo-sharing site that supports > OAuth would allow its users to use a third-party printing Web site to access > the user's private pictures, without gaining full control of the user > account. > > OAuth consists of: > * A mechanism for exchanging a user's credentials for a token-secret pair, > which can be used by a third party to access resources on the user's behalf. > * A mechanism for signing HTTP requests with the token-secret pair. > > The Working Group will produce one or more documents suitable for > consideration as Proposed Standard that will: > * Improve the terminology used. > * Embody good security practice, or document gaps in its capabilities, and > propose a path forward for addressing the gaps. > * Promote interoperability. > * Provide guidelines for extensibility. > > This specifically means that as a starting point for the working group OAuth > 1.0 (i.e., draft-hammer-oauth-00.txt), which is a copy of the original OAuth > specification in IETF draft format, is used and the available extension > points are going to be utilized. In completing its work to profile OAuth 1.0 > to become OAuth 1.1, the group will strive to retain backward compatibility > with the OAuth 1.0 specification. However, changes that are not backward > compatible might be accepted if the group determines that the changes are > required to meet the group's technical objectives and the group clearly > documents the reasons for making them. > > Furthermore, OAuth 1.0 defines three signature methods used to protect > requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work on > new signature methods and will describe the environments where new security > requirements justify their usage. Existing signature methods will not be > modified, but may be dropped as part of the backward compatible profiling > activity. The applicability of existing and new signature methods to > protocols other than HTTP will be investigated. > > The Working Group should consider: > * Implementer experience. > * The end-user experience, including internationalization. > * Existing uses of OAuth. > * Ability to achieve broad implementation. > * Ability to address broader use cases than may be contemplated by the > original authors. > > After delivering OAuth 1.1, the Working Group may consider defining > additional functions and/or extensions, for example (but not limited to): > * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0. > * Comprehensive message integrity, e.g., > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html. > * Recommendations regarding the structure of the token. > * Localization, e.g., > http://oauth.googlecode.com/svn/spec/ext/language_preference/1.0/drafts/2/sp > ec.html. > * Session-oriented tokens, e.g., > http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html. > * Alternate token exchange profiles, e.g., > draft-dehora-farrell-oauth-accesstoken-creds-00. > > The work on extensions is within the scope of the working group charter, but > requires consensus within the group to add new milestones. > > The Working Group will also define a generally applicable HTTP > authentication mechanism (i.e., browser-based "2-leg" scenario). > > Goals and Milestones: > > Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as > working group item > (draft-hammer-oauth will be used as a starting point for further > work.) > Jul 2009 Submit a document as a working group item providing the > functionality of the 2-legged HTTP authentication mechanism > Jul 2009 Start of discussion about OAuth extensions the group should work > on > Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization > Delegation Protocol' > Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to the > IESG for consideration as a Proposed Standard > Nov 2009 Start Working Group Last Call on the 2-legged HTTP > authentication mechanism document > Nov 2009 Prepare milestone update to start new work within the scope of > the charter > Dec 2009 Submit 2-legged HTTP authentication mechanism document to the > IESG for consideration as a Proposed Standard > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > From james@atreus.tartarus.org Wed May 13 06:58:25 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A2AA3A6FAC for ; Wed, 13 May 2009 06:58:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.11 X-Spam-Level: X-Spam-Status: No, score=-5.11 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUe17NZajn4t for ; Wed, 13 May 2009 06:58:24 -0700 (PDT) Received: from atreus.tartarus.org (atreus.tartarus.org [80.252.125.10]) by core3.amsl.com (Postfix) with ESMTP id 31ABD3A67FC for ; Wed, 13 May 2009 06:58:24 -0700 (PDT) Received: from james by atreus.tartarus.org with local (Exim 4.63) (envelope-from ) id 1M4Ezy-0003q7-Uf for oauth@ietf.org; Wed, 13 May 2009 14:59:54 +0100 Date: Wed, 13 May 2009 14:59:54 +0100 From: James Aylett To: oauth@ietf.org Message-ID: <20090513135954.GF9176@tartarus.org> References: <010f01c9bd9f$290653a0$0201a8c0@nsnintra.net> <4A0AC774.3070806@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A0AC774.3070806@gmail.com> User-Agent: Mutt/1.5.13 (2006-08-11) Subject: Re: [oauth] OAuth Charter Text (15th April 2009) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2009 13:58:25 -0000 On Wed, May 13, 2009 at 09:13:24AM -0400, Paul Madsen wrote: > the wording of the example below seems to imply that the photo-sharing > site would necessarily support OAuth, but not the printing site That's not how I read it at all; I read it as saying that the photo-sharing site would support OAuth to allow 3rd party sites access to the photos, and the printing site would implement OAuth to get that. Anything symmetric is out of scope of the example, but can easily be imagined. J -- James Aylett talktorex.co.uk - xapian.org - uncertaintydivision.org From wwwrun@core3.amsl.com Wed May 13 12:47:04 2009 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id C313B28C218; Wed, 13 May 2009 12:47:04 -0700 (PDT) From: IESG Secretary To: IETF Announcement list Content-Type: text/plain; charset="utf-8" Mime-Version: 1.0 Message-Id: <20090513194704.C313B28C218@core3.amsl.com> Date: Wed, 13 May 2009 12:47:04 -0700 (PDT) Cc: oauth@ietf.org Subject: [oauth] WG Action: Open Authentication Protocol (oauth) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2009 19:47:04 -0000 A new IETF working group has been formed in the Applications Area. For additional information, please contact the Area Directors or the WG Chairs. Open Authentication Protocol (oauth) ------------------------------------- Last Modified: 2009-05-03 Current Status: Active Working Group Chair(s): Blaine Cook Peter St. André Applications Area Director(s): Alexey Melnikov Lisa Dusseault Applications Area Advisor: Lisa Dusseault Security Advisor: Hannes Tschofenig Mailing Lists: General Discussion: oauth@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/oauth Archive: http://www.ietf.org/mail-archive/web/oauth/current/maillist.html Description of Working Group: OAuth allows a user to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. For example, a photo-sharing site that supports OAuth would allow its users to use a third-party printing Web site to access their private pictures, without gaining full control of the user account. OAuth consists of: * A mechanism for a user to authorize issuance of credentials which a third party can use to access resources on their behalf. * Mechanism for using the issued credential to authenticate HTTP requests (called "signatures" in current OAuth). The Working Group will produce one or more documents suitable for consideration as Proposed Standard that will: * Improve the terminology used. * Embody good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap. * Promote interoperability. * Provide guidelines for extensibility. This specifically means that as a starting point for the working group OAuth 1.0 (i.e., draft-hammer-oauth), which is a copy of the original OAuth specification in IETF draft format, is used and the available extension points are going to be utilized. In completing its work to update OAuth 1.0 to become OAuth 1.1, the group will strive to retain backwards compatibility with the OAuth 1.0 specification. However, changes that are not backwards compatible might be accepted if the group determines that the changes are required to meet the group's technical objectives and the group clearly documents the reasons for making them. Furthermore, OAuth 1.0 defines three "signature" methods used to protect requests, namely PLAINTEXT, HMAC-SHA1, and RSA- SHA1. The group will work on new authentication ("signature") methods and will describe the environments where new security requirements justify their usage. Existing signature methods will not be modified but may be dropped as part of the backwards compatible profiling activity. The applicability of existing and new authentication methods to protocols other than HTTP will be investigated. The Working Group should consider: * Implementer experience. * The end-user experience, including internationalization. * Existing uses of OAuth. * Ability to achieve broad implementation. * Ability to address broader use cases than may be contemplated by the original authors. After delivering OAuth 1.1, the Working Group may consider defining additional functions and/or extensions, for example (but not limited to): * Discovery of OAuth configuration, e.g., http://oauth.net/discovery/1.0. * Comprehensive message integrity, e.g., http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/draf ts/1/spec.html. * Recommendations regarding the structure of the token. * Localization, e.g., http://oauth.googlecode.com/svn/spec/ext/language_preferenc e/1.0/drafts/2/spec.html. * Session-oriented tokens, e.g., http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts /1/spec.html. * Alternate token exchange profiles, e.g., draft-dehora- farrell-oauth-accesstoken-creds-00. The work on extensions is within the scope of the working group charter and requires consensus within the group to add new milestones. The Working Group will also define a generally applicable HTTP authentication mechanism (i.e., browser-based "2-leg" scenerio). Goals and Milestones: Apr 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' as working group item (draft-hammer-oauth will be used as a starting point for further work.) Jul 2009 Submit a document as a working group item providing the functionality of the 2-legged HTTP authentication mechanism Jul 2009 Start of discussion about OAuth extensions the group should work on Oct 2009 Start Working Group Last Call on 'OAuth: HTTP Authorization Delegation Protocol' Nov 2009 Submit 'OAuth: HTTP Authorization Delegation Protocol' to the IESG for consideration as a Proposed Standard Nov 2009 Start Working Group Last Call on the 2-legged HTTP authentication mechanism document Nov 2009 Prepare milestone update to start new work within the scope of the charter Dec 2009 Submit 2-legged HTTP authentication mechanism document to the IESG for consideration as a Proposed Standard From stpeter@stpeter.im Fri May 29 13:26:59 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD1AB3A6E03 for ; Fri, 29 May 2009 13:26:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.414 X-Spam-Level: X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNfyN-iYh1VJ for ; Fri, 29 May 2009 13:26:58 -0700 (PDT) Received: from dizzyd.com (dizzyd.com [207.210.219.225]) by core3.amsl.com (Postfix) with ESMTP id DBFCD3A69CB for ; Fri, 29 May 2009 13:26:58 -0700 (PDT) Received: from squire.local (dsl-240-195.dynamic-dsl.frii.net [216.17.240.195]) (Authenticated sender: stpeter) by dizzyd.com (Postfix) with ESMTPSA id E275D40C2A for ; Fri, 29 May 2009 14:28:42 -0600 (MDT) Message-ID: <4A20457A.1000507@stpeter.im> Date: Fri, 29 May 2009 14:28:42 -0600 From: Peter Saint-Andre User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: oauth@ietf.org X-Enigmail-Version: 0.95.7 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [oauth] WG kickoff X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2009 20:27:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Welcome to the IETF's OAuth WG! This list will be the primary venue for discussions related to the work items defined in our charter: http://www.ietf.org/html.charters/oauth-charter.html (Naturally, work on non-charter items will continue in parallel via other discussion venues, see for details.) Please note that we have some nifty tools here: http://tools.ietf.org/wg/oauth/ The tools at our disposal include issue tracking, wiki pages, and links to this list, our charter, and the chatroom logs. To get a good idea of how we can use these tools, check out the site of the HTTPBIS WG: http://tools.ietf.org/wg/httpbis/ As co-chairs, Blaine Cook and I have talked with Eran Hammer-Lahav (editor of the core OAuth spec) about our next steps and it seems that the first order of business is deciding whether we need one core spec (basically with updates) or two, which would be: 1. The format and protocol for authentication requests as in Section 3 of draft-hammer-oauth 2. The authorization workflow (or workflows) as in Section 4 of draft-hammer-oauth We can split the spec into two pieces at any time, but it might facilitate issue tracking and spec writing to make that decision now. Thanks! Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkogRXoACgkQNL8k5A2w/vwtfACgguTJcjbXjG1SVGUiFU0psDAq i8sAoIpIf/0pWVtpt9yHErXeJnM6/g+d =pZYY -----END PGP SIGNATURE----- From rbarnes@bbn.com Fri May 29 14:06:36 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EDDA3A6977 for ; Fri, 29 May 2009 14:06:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ma8013i+UU3o for ; Fri, 29 May 2009 14:06:35 -0700 (PDT) Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 564B43A681E for ; Fri, 29 May 2009 14:06:35 -0700 (PDT) Received: from [128.89.254.217] (helo=Richard-Barnes-Laptop.local) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from ) id 1MA9JK-0002wu-Eq; Fri, 29 May 2009 17:08:18 -0400 Message-ID: <4A204EC0.70903@bbn.com> Date: Fri, 29 May 2009 17:08:16 -0400 From: Richard Barnes User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Peter Saint-Andre References: <4A20457A.1000507@stpeter.im> In-Reply-To: <4A20457A.1000507@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [oauth] WG kickoff X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2009 21:06:36 -0000 Hey Peter, Thanks for the welcome note. It reminded me that I have some comments on draft-hammer-oauth that I need to send in... With regard to the question of one or two specs, my preference would be to have two specs, roughly along the lines you propose: 1. A generic framework for setting up authorization relationships, and 2. An implementation of that framework in HTTP --Richard Peter Saint-Andre wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the IETF's OAuth WG! > > This list will be the primary venue for discussions related to the work > items defined in our charter: > > http://www.ietf.org/html.charters/oauth-charter.html > > (Naturally, work on non-charter items will continue in parallel via > other discussion venues, see for details.) > > Please note that we have some nifty tools here: > > http://tools.ietf.org/wg/oauth/ > > The tools at our disposal include issue tracking, wiki pages, and links > to this list, our charter, and the chatroom logs. To get a good idea of > how we can use these tools, check out the site of the HTTPBIS WG: > > http://tools.ietf.org/wg/httpbis/ > > As co-chairs, Blaine Cook and I have talked with Eran Hammer-Lahav > (editor of the core OAuth spec) about our next steps and it seems that > the first order of business is deciding whether we need one core spec > (basically with updates) > or two, which would be: > > 1. The format and protocol for authentication requests as in Section 3 > of draft-hammer-oauth > > 2. The authorization workflow (or workflows) as in Section 4 of > draft-hammer-oauth > > We can split the spec into two pieces at any time, but it might > facilitate issue tracking and spec writing to make that decision now. > > Thanks! > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkogRXoACgkQNL8k5A2w/vwtfACgguTJcjbXjG1SVGUiFU0psDAq > i8sAoIpIf/0pWVtpt9yHErXeJnM6/g+d > =pZYY > -----END PGP SIGNATURE----- > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From alexey.melnikov@isode.com Fri May 29 15:27:33 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D21053A6FD9 for ; Fri, 29 May 2009 15:27:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.956 X-Spam-Level: X-Spam-Status: No, score=-1.956 tagged_above=-999 required=5 tests=[AWL=0.643, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umT6hMxRtrk3 for ; Fri, 29 May 2009 15:27:33 -0700 (PDT) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id EDB6B3A6C5D for ; Fri, 29 May 2009 15:27:32 -0700 (PDT) Received: from [92.40.105.21] (92.40.105.21.sub.mbb.three.co.uk [92.40.105.21]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Fri, 29 May 2009 23:29:16 +0100 Message-ID: <4A20619D.9050704@isode.com> Date: Fri, 29 May 2009 23:28:45 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Peter Saint-Andre References: <4A20457A.1000507@stpeter.im> In-Reply-To: <4A20457A.1000507@stpeter.im> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [oauth] WG kickoff X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Oauth bof discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2009 22:27:33 -0000 Hi Peter, Peter Saint-Andre wrote: [...] >As co-chairs, Blaine Cook and I have talked with Eran Hammer-Lahav >(editor of the core OAuth spec) about our next steps and it seems that >the first order of business is deciding whether we need one core spec >(basically with updates) >or two, which would be: > >1. The format and protocol for authentication requests as in Section 3 >of draft-hammer-oauth > >2. The authorization workflow (or workflows) as in Section 4 of >draft-hammer-oauth > > (In my capacity as an individual contributor) I agree it would be better to split the documents. >We can split the spec into two pieces at any time, but it might >facilitate issue tracking and spec writing to make that decision now. > > From hubertlvg@gmail.com Sat May 30 04:52:21 2009 Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 71F5F3A7003 for ; Sat, 30 May 2009 04:52:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPESyESziXxe for ; Sat, 30 May 2009 04:52:20 -0700 (PDT) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by core3.amsl.com (Postfix) with ESMTP id 293C53A6F63 for ; Sat, 30 May 2009 04:52:20 -0700 (PDT) Received: by ey-out-2122.google.com with SMTP id d26so212392eyd.31 for ; Sat, 30 May 2009 04:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=5YwRwvxpZf55YOP8dKoe+hIYVTGBPMvccQ8uSWkdsTw=; b=iFXlmItbp2FJ+Si8LGWEOBCm2ojisQDYcSfSsRul4nfrwZQBm6ujtRhIYLXN7h1TWO TirZpewCzVXHZ3Wj4EHCU157ZX2HKQ4aAdxbCWLZTe/dx8PliNAx2fZd4cCsTBIAXRLi c09s7S04qkKpvfOGOvMwW5NtZ4pDN/4CSC7x8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=GqgIBnXy9nC36/HQpKO1USjGKdW/qTvNaejtWEu/list1g7UiiL7z2770Zhrc4rX5E 4y696e4o5YIhYG8rN3m2fQK2Mxg+Meqx1yqJFtKxs2AvP+WXurOFUf0N+xVhye0DIBfQ gpayf5sDriYdFieDsitonT3VWXkwgrrM4Mjsk= MIME-Version: 1.0 Received: by 10.210.143.11 with SMTP id q11mr3432639ebd.66.1243684442127; Sat, 30 May 2009 04:54:02 -0700 (PDT) In-Reply-To: <4A20457A.1000507@stpeter.im> References: <4A20457A.1000507@stpeter.im> Date: Sat, 30 May 2009 13:54:02 +0200 Message-ID: <6c0fd2bc0905300454p1d5a49f4vda36c57c080fbb53@mail.gmail.com> From: Hubert Le Van Gong To: Peter Saint-Andre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [OAUTH] [oauth] WG kickoff X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 May 2009 11:52:21 -0000 +1 on splitting the spec into 2 documents. Also since we did have consensus that the 2-legged scenario (browser-less?) is to be considered, it would fit nicely into the doc #2, wouldn't it? Hubert On Fri, May 29, 2009 at 10:28 PM, Peter Saint-Andre wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the IETF's OAuth WG! > > This list will be the primary venue for discussions related to the work > items defined in our charter: > > http://www.ietf.org/html.charters/oauth-charter.html > > (Naturally, work on non-charter items will continue in parallel via > other discussion venues, see for details.) > > Please note that we have some nifty tools here: > > http://tools.ietf.org/wg/oauth/ > > The tools at our disposal include issue tracking, wiki pages, and links > to this list, our charter, and the chatroom logs. To get a good idea of > how we can use these tools, check out the site of the HTTPBIS WG: > > http://tools.ietf.org/wg/httpbis/ > > As co-chairs, Blaine Cook and I have talked with Eran Hammer-Lahav > (editor of the core OAuth spec) about our next steps and it seems that > the first order of business is deciding whether we need one core spec > (basically with updates) > or two, which would be: > > 1. The format and protocol for authentication requests as in Section 3 > of draft-hammer-oauth > > 2. The authorization workflow (or workflows) as in Section 4 of > draft-hammer-oauth > > We can split the spec into two pieces at any time, but it might > facilitate issue tracking and spec writing to make that decision now. > > Thanks! > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkogRXoACgkQNL8k5A2w/vwtfACgguTJcjbXjG1SVGUiFU0psDAq > i8sAoIpIf/0pWVtpt9yHErXeJnM6/g+d > =pZYY > -----END PGP SIGNATURE----- > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >