W3C home > Mailing lists > Public > public-xg-socialweb@w3.org > November 2009

Fwd: [OAUTH-WG] OAuth 2.0 / Charter

From: Dan Brickley <danbri@danbri.org>
Date: Sun, 29 Nov 2009 11:24:49 +0100
Message-Id: <A005FEC8-64D0-4EA7-AC95-2EE090B5CBB6@danbri.org>
To: "public-xg-socialweb@w3.org" <public-xg-socialweb@w3.org>

Important crossroads for OAuth...

Dan



Begin forwarded message:

> From: Eran Hammer-Lahav <eran@hueniverse.com>
> Date: 29 November 2009 08:59:21 CET
> To: "Peter Saint-Andre (stpeter@stpeter.im)" <stpeter@stpeter.im>,  
> "Lisa Dusseault (lisa.dusseault@gmail.com)" <lisa.dusseault@gmail.com>
> Cc: "OAuth WG \(oauth@ietf.org\)" <oauth@ietf.org>
> Subject: [OAUTH-WG] OAuth 2.0 / Charter
>

> With the cleanup of the 1.0 specification [1] and the publication of  
> an informational RFC (pending IESG approval), I no longer see value  
> in a standard closely based on the 1.0 specification, which was the  
> original intention of this WG. This is also reflected by the recent  
> interest in the WRAP proposal [2].
>
> Instead, I think we should develop two specifications that while  
> closely in line with the original plan, represent a significant  
> shift. In other words, I am proposing we develop OAuth 2.0, not 1.1.
>
> The new proposal is to develop two specifications:
>
> 1. Token Authorization Method
>
> An RFC 2617 Authorization header called 'Token' for authenticating  
> requests with token-based credentials. Tokens (with optional shared- 
> secret) are usually used in place of other credentials (usernames,  
> etc.) and represent some combination of scope and authorization. The  
> token method will include an extensible signature-based option based  
> on the HMAC-SHA1 method, and a bearer token (with optional secret)  
> option based on the PLAINTEXT method. The RSA option will be dropped.
>
> 2. OAuth 2.0
>
> A specification based on the browser-redirection flow described in  
> OAuth 1.0 as well as new methods defined in WRAP (I-D submission  
> pending). OAuth will be redefined to cover the authorization  
> component only, and will no longer be bound to a single  
> authentication method. This will make OAuth immediately useful for  
> other protocols than HTTP (while HTTP will be used to obtain tokens,  
> tokens will be useful in other protocols, not just with the HTTP and  
> Token method).
>
> ---
>
> While the current charter allows much of this work, it contradicts  
> its spirit and the understanding reached when we created the working  
> group.
>
> I would like to ask:
>
> - Is this approach favorable by the group?
> - Do we need to adjust the language in the charter to support?
>
> EHL
>
> [1] http://tools.ietf.org/html/draft-hammer-oauth
> [2] http://bit.ly/oauth-wrap
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
Received on Sunday, 29 November 2009 10:24:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 29 November 2009 10:24:56 GMT