[10:43:42] james.manger joins the room [10:46:10] Hello OAuth (from a newbie at Jabbering) [10:50:51] Suggestion 1: eliminate the dual secrets. The consumer_secret is required to collect a token_secret so there is no need to use both subsequently. Makes the protocol much simplier (& more standard): 1 id & 1 secret to authenticate each request. [10:51:42] james.manger leaves the room [14:30:44] HannesTschofenig joins the room [14:34:41] HannesTschofenig leaves the room [19:10:21] james.manger joins the room [19:10:21] james.manger leaves the room [19:13:22] Dan York joins the room [19:52:02] sm joins the room [19:52:22] Ben Ramsey joins the room [19:53:04] rlbob joins the room [19:54:12] sm leaves the room [19:54:15] =JeffH joins the room [19:56:59] jtrentadams joins the room [19:58:02] Blaine Cook joins the room [19:58:51] resnick joins the room [19:58:51] resnick leaves the room [19:59:48] clatze joins the room [20:00:31] shirleyhm joins the room [20:03:53] sftcd joins the room [20:04:29] meadhbh.siobhan joins the room [20:06:09] mikemlb joins the room [20:06:28] hmm.. volume is a touch low [20:06:58] perfect! [20:07:10] Eran Hammer-Lahav joins the room [20:07:22] Aaron Stone joins the room [20:07:32] tlyu joins the room [20:07:46] bof starts @ 1:08 [20:08:04] hardie joins the room [20:08:05] Barry Leiba joins the room [20:08:08] resnick joins the room [20:08:24] sm joins the room [20:08:39] charter has been discussed on list, that discussion concluded [20:08:54] ekr made comments today [20:08:57] Seth Fitzsimmons joins the room [20:09:23] hartmans@jis.mit.edu/owl joins the room [20:10:20] tonyhansen joins the room [20:10:48] hannes: don't want to wordsmith charter, rather get into doc items [20:11:01] q: why is this apps area rather than sec area? [20:11:05] Ben Ramsey leaves the room [20:11:25] Ben Ramsey joins the room [20:11:44] lisa d: requires both HTTP and sec expertise, but i was there to sponsor, that seems OK to people [20:11:56] stpeter joins the room [20:12:09] Mark Lentczner joins the room [20:12:22] Cullen Jennings joins the room [20:12:28] jack joins the room [20:12:28] eran hammer-lahav starts presentation on OAuth [20:12:37] james.manger joins the room [20:12:37] james.manger leaves the room [20:12:47] David Cooper joins the room [20:12:48] stpeter leaves the room [20:12:56] specifically where spec is today and how it can move forward [20:13:37] fenton joins the room [20:13:38] hardie leaves the room [20:13:47] draft 02 just has a couple of minor changes ... [20:13:53] richard.barens joins the room [20:14:06] richard.barens leaves the room [20:14:11] draft 01 is complete rewrite of 00 draft, ie original oauth spec [20:14:21] eliot.lear joins the room [20:14:28] richard.barnes joins the room [20:14:42] split into two parts: HTTP authn mechanism; and the redirection/authorization flow [20:15:12] james.manger joins the room [20:15:13] serves to represent redirection flow as just one possible flow among many [20:15:38] hildjj joins the room [20:16:14] questions to audience: is intent clear? examples? terminology? [20:16:16] Ted joins the room [20:16:54] move away from original oauth consumer/provider to more standard HTTP terms [20:17:17] Bernie joins the room [20:17:46] Mark Lentczner leaves the room [20:17:56] Mark Lentczner joins the room [20:17:58] comment: still keep term "consumer key", isn't that still confusing? [20:18:28] eh: didn't want to make protocol changes prior to Working Group decisions [20:19:53] comment: a flow chart would be good [20:19:57] hildjj leaves the room: Replaced by new connection [20:19:57] hildjj joins the room [20:20:15] jeff hodges: i did one already, can be re-used [20:21:13] eh: interop a key requirement now; this was not a requirement of original oauth work, rather having libraries that would work against many servers [20:21:31] Chris Newman joins the room [20:22:36] Leslie Daigle joins the room [20:22:40] interop issues: no required signature method, 3 parameter passing methods, ... [20:23:44] hildjj leaves the room: Replaced by new connection [20:23:44] hildjj joins the room [20:23:49] Bernie leaves the room [20:23:59] ekr: have to ask to what extent we want machine-readable statements of what instances support [20:25:24] more interop issues: choice of HTTP methods; sites document what they do in human-readable form, instead of machine-discoverable; client registration is undefined; no error codes [20:26:09] stpeter joins the room [20:26:43] Doug Otis joins the room [20:26:58] huilan lu: do we agree on scope, ie linking delegation and HTTP methods? [20:27:23] blaine: we agreed to work on something as compatible as possible with current oauth [20:27:41] hl: there are other use cases in other protocols [20:28:21] the XMPP usage is defined in http://xmpp.org/extensions/xep-0235.html (but it has a few spec bugs) [20:28:31] bc: yes, for example XMPP, but not in scope here ... [20:29:53] mark.jones joins the room [20:30:07] bc: no one has proposed alternative scope [20:30:32] fenton leaves the room: Replaced by new connection [20:30:32] fenton joins the room [20:31:02] hubertlvg joins the room [20:31:19] ehl: some parts of oauth are independent, others are very linked to HTTP, no one has proposed higher-level abstraction [20:32:09] steve roberts: item in spec about "should synchronize clocks", but no info about how or how much [20:32:35] stating an architectural requirement like "synchronization" is fine, IMHO, as long as it is justified. [20:33:06] steven farrell: should wait to do things like discovery later, lest they be ratholes now [20:33:22] vidya joins the room [20:33:28] Jabber-Wile joins the room [20:33:31] ehl: just trying to be clear that these are the gaps now [20:35:10] richard barnes: in favor of abstraction, being clear about authorization model and how that is applied to HTTP, i volunteer to help do this [20:36:11] (and so does ekr, for the record :) ) [20:36:20] someone: current oauth doesn't specify UI or user authentication, will that be fixed? [20:37:33] ehl: last time it was said IETF doesn't do UI, people think it's a benefit that oauth doesn't specify user authn, since it can work with many methods [20:37:46] someone: doesn't that mean it's underspecified? [20:37:48] badra joins the room [20:38:35] kellan joins the room [20:38:48] klaas@im.wierenga.net joins the room [20:38:52] thomas hardjono: does this imply oauth 1.0 is deprecated? [20:38:54] ehl: no [20:40:00] dan.hoopyfrood joins the room [20:40:16] bc: has been suggested to call IETF version "OAuth 1.1" to make clear difference from 1.0 [20:41:05] ekr: really two things: a protocol (the http method) and a framework (the redirection flow), so recommend two documents [20:41:31] and it's also a list of acceptable auth primitives: plaintext, hmac/sha, rsa [20:41:53] rather a list of minimum auth primitives [20:41:58] What about the 2-legged scenario(s) - will there be clarifications in this work as to what use case(s) they cover etc.? [20:42:26] [Hubert A. Le Van Gong] btw [20:42:55] hubertlvg: i would very much like that. it's easily the most frequently asked question as far as I can tell. [20:43:33] <=JeffH> can we find different terms than the "-legged" ones ? [20:43:41] =JeffH: Dear god please. [20:43:59] ehl: sentiment at prior IETF was not to look at two-legged scenarios [20:44:01] Sam Hartman at the mic [20:44:02] shades of animal farm: 2-legs bad, 3-legs good [20:44:14] is this sam? [20:44:19] nevermind [20:44:26] eliot.lear: yes [20:44:40] eliot.lear: yes :) [20:44:48] sam hartman: regardless of what we say, people will use this for two-legged, so we would be lying to ignore it [20:45:26] sam h: note this is reversal of my prior opinion [20:46:00] Seth at the mic [20:46:01] mhasib joins the room [20:46:29] ekr: agree, has been so much whining about digest, if we're doing this we should replace digest too [20:46:33] Hubert: The other "issue" with 2-legged is that I have seen cases where the 2-legged equates to an anonymous consumer and the other where the user == consumer. [20:46:55] someone: in favor of more general signature doc that can be applied to XMPP etc [20:47:05] name? [20:47:09] /me [20:47:09] IAAL? [20:47:12] <=JeffH> seth [20:47:45] richard.barnes leaves the room [20:47:50] james.manger leaves the room [20:47:53] stpeter: IANASPIAAL [20:47:56] ehl: (back to presentation): security items [20:48:06] Bernie joins the room [20:48:26] kdz joins the room [20:49:03] constraint on signature design was dev environments that don't have access to raw HTTP message, only parts [20:49:34] oauth sends secrets in the clear (if not using TLS), is this bad? [20:50:03] there may be DoS attacks [20:50:28] identity of client isn't verified, so server might redirect client back to some bad place [20:50:48] Audio is off. 404 [20:50:48] kdz leaves the room [20:51:02] Hubert: yup streaming's down [20:51:26] type fast bob ;-) [20:51:48] and we're back [20:51:52] who is at the mic? [20:52:13] james.manger joins the room [20:52:13] james.manger leaves the room [20:52:16] <=JeffH> ? hammerick? [20:52:17] audio is off,too. I can't connect to the server...... [20:52:17] that was me [20:52:31] Audio is working now [20:52:34] meadhbh.siobhan: thanks! [20:52:37] james.manger joins the room [20:52:40] I just alerted the NOC about the audio. [20:52:59] siobhan: remember MOSS, don't create protocol were conformant implementations can't interop [20:53:11] audio is ok now:) [20:53:14] Hubert: How about signing reponses? [20:53:17] Audio is back for me, too, although I had to restart the stream [20:53:57] Paul Hoffmann at the mic [20:54:02] ehl: possible new sec features: alternative token methods, body hash, language preferences [20:54:08] er, Hoffman [20:54:57] pk joins the room [20:55:01] paul hoffman: have to know ahead of time if this is going to be "HTTP citizen", ie whether it is going to use existing HTTP services or not, picking and choosing doesn't make sense [20:56:01] ehl: sure, language pref, but HTTP doesn't do authn tokens? [20:56:29] danwing joins the room [20:56:33] ekr: what's the language issue? [20:56:52] Hubert: I'm not sure I see what mechanisms are being ignored? [20:57:13] bc: concern is that language from authz step might be different from language in use step ... [20:58:01] jack leaves the room [20:58:33] richard.barnes joins the room [20:58:52] ehl: big concerns about usability of redirection workflow; ie site that sends user to resource site is concerned that the user come back, eg not be confused by things like language pref [20:59:01] roblan joins the room [21:00:20] isn't the language preference problem he describes much broader than the space addressed by oauth? [21:00:20] yahoo person: supporting Internet-cafe case where machine might not be set to language of user's choice [21:00:21] language preferences shouldn't be included here IMO unless OAuth is the only protocol doing the re-direct thing (which I don't think it is) [21:00:28] Ted Hardie at the mic [21:00:42] sftcd: agreed, the re-directing pattern is getting more and more common [21:00:51] i think the "language problem" is to have a language preference follow the request [21:01:16] language == human language? [21:01:19] right [21:01:29] ted hardie: for pure authorization case you want it to work without language context, can't be dependent on it [21:01:42] klaas@im.wierenga.net leaves the room [21:02:14] isn't that just an issue of setting the Accept-Language header? [21:02:16] is he saying the request language (distinct from the users' language preference) should be meta-data attached to the request, but not a core part of the protocol? [21:02:21] (he being ted) [21:02:34] bc: that ends presentation material, hoping for more discussion of items ... [21:03:46] bc: so, seem to be hearing a change of opinion about two-legged case [21:04:20] zachary zeltan: nonce question [21:04:24] mhasib leaves the room [21:04:31] bc: nonces are to prevent replay attacks [21:04:32] nonces are there to prevent replay attacks [21:04:41] timestamps are there to prevent resource exhaustion on the nonces [21:05:39] sam h: if this is replacement for digest, need to do a good job on it, in particular supporting mutual authentication and channel bindings, so these should be in scope [21:05:54] Barry Leiba leaves the room [21:05:58] richard.barnes leaves the room [21:06:01] james.manger leaves the room [21:06:13] meadhbh.siobhan: sorry, I missed your comment. I am saying that we can almost certainly manage the task of carrying around language preferences among the relevant parties. On a different point, I am saying that we should be relying on that for authorization decisions. My last statement boiled down to "so, let's keep them separate, eh?" [21:06:17] ekr: SCRAM mechanism is also being worked on, would be nice if IETF standardized on one challenge/response mech instead of 10 [21:06:39] mrex joins the room [21:07:03] did ekr volunteer to coordinate all the different auth techniques in use in the IETF? ;-) [21:07:04] sam h: single solution is noble goal, but too much effort to get there, rather have multiple useful solutions [21:07:38] Jabber-Wile leaves the room: Replaced by new connection [21:07:47] ekr: could imagine using TLS in the SASL EXTERNAL style also [21:07:54] Eran Hammer-Lahav leaves the room [21:08:18] OMG!1! ponies [21:08:31] sam h: would like to have protected incremental negotiation [21:08:32] Eran Hammer-Lahav joins the room [21:08:36] see what happens when you miss a meeting? [21:08:37] Barry Leiba joins the room [21:08:52] er, my statement above "On a different point, I am saying that we should be relying on that for authorization decisions" should have said "should NOT be relying". [21:08:54] sorry [21:09:02] ekr: would be nice to have some idea of PHP4 constraints going in ... [21:09:08] Jabber-Wile joins the room [21:09:47] ehl: maybe useful to go through charter again looking at changes based on today's discussion [21:11:19] jon peterson is thanked for his RAI AD service with a bottle of rotgut [21:12:00] jack joins the room [21:12:53] hannes: do people know what 2-legged means? [21:13:10] fenghongyan2009 joins the room [21:13:51] ehl: 2-legged uses same HTTP authn mechanism, but not representing third party, ie a way of authenticating without using Basic Auth [21:13:52] <=JeffH> see fig 3 here: http://identitymeme.org/archives/2008/10/22/oauth-protocol-flow-diagrams/ [21:14:12] fenghongyan2009 leaves the room [21:14:36] hubert: raising his hand :) [21:14:49] Leslie Daigle leaves the room [21:15:01] Leslie Daigle joins the room [21:15:06] Leslie apparently thinks we should have hummed instead of counting hands. [21:15:08] hannes: vote on including 2-legged in scope: 20 or so in favor, 2 opposed [21:15:26] (the BOF chair hasn't been briefed on humming?) [21:15:46] dan.hoopyfrood: seems not [21:16:01] bc: ekr raises concern about "backward compatible" phrase, may be too constraining [21:16:39] Leslie Daigle leaves the room [21:16:44] bc: intent was that changes should only be for strong reasons like security [21:16:46] "In completing its work, the group will strive to retain backwards compatibility with RFCs 3920 and 3921. However, changes that are not backwards compatible might be accepted if the group determines that the changes are required to meet the group's technical objectives and the group clearly documents the reasons for making them." [21:17:27] huilan lu: would like to have mechanism that doesn't require state on server, could that be justified? [21:17:47] lisa d: if it gains consensus, yes [21:17:58] tho for the record oauth 1.0 core is implementable w/o server-side state [21:18:04] Leslie Daigle joins the room [21:19:08] paul hoffman: smime WG got tangled in knots with arguments about what's "important enough" to justify compatibility breakage, very hard to "compare" importance [21:20:04] clatze leaves the room [21:20:04] is compatibility only an issue for not breaking libraries? I mean if site A interops with site B with existing OAuth, and site A wants to interop with site C via new-ietf-wg-oauth, this wouldn't affect the A/B compatibility [21:20:45] that is - since every pair-wise interaction is preceded by an out-of-band agreement of many details anyway [21:21:20] eliot.lear leaves the room [21:21:36] steven farrell: similar compat issues in DKIM, once you change bits in the hash, you can change others, main thing was to think about deployment compatibility and transition [21:22:07] Leslie Daigle leaves the room [21:22:19] We solved this problem in XMPP by having a way to detect new implementations that didn't break existing implementations. [21:23:18] lisa d: propose a hum on charter with the two changes: include 2-legged and water down compat language [21:23:35] vote: many hands supporting this proposed WG, none opposed [21:23:52] all's well that ends well. [21:23:56] meadhbh.siobhan leaves the room [21:23:56] Eran Hammer-Lahav leaves the room [21:24:02] Jabber-Wile leaves the room [21:24:11] meeting adjourns @ 2:24 [21:24:12] kellan leaves the room [21:24:21] Seth Fitzsimmons leaves the room [21:24:24] sm leaves the room [21:24:27] Blaine Cook leaves the room [21:24:29] rlbob leaves the room [21:24:32] Doug Otis leaves the room [21:24:38] hubertlvg leaves the room [21:24:40] Ted leaves the room [21:25:06] Mark Lentczner leaves the room [21:25:25] Ben Ramsey leaves the room [21:25:32] mark.jones leaves the room [21:26:10] resnick leaves the room [21:26:47] vidya leaves the room [21:26:50] Aaron Stone leaves the room [21:26:53] danwing leaves the room [21:28:25] Barry Leiba leaves the room [21:28:42] Ed joins the room [21:29:08] Ed leaves the room [21:30:41] pk leaves the room [21:30:55] MrTopf joins the room [21:31:27] roblan leaves the room [21:33:24] hildjj leaves the room [21:33:42] dan.hoopyfrood leaves the room [21:38:05] shirleyhm leaves the room [21:39:14] jtrentadams leaves the room [21:41:44] Chris Newman leaves the room [21:42:00] hildjj joins the room [21:42:22] badra leaves the room [21:44:40] David Cooper leaves the room [21:46:22] stpeter leaves the room: Replaced by new connection [21:46:22] fenton leaves the room [21:46:24] jack leaves the room [21:47:31] hildjj leaves the room: Replaced by new connection [21:47:33] hildjj joins the room [21:49:49] Cullen Jennings leaves the room [21:50:13] Bernie leaves the room [21:55:38] Doug Otis joins the room [22:00:07] sftcd leaves the room [22:00:17] Doug Otis leaves the room [22:00:51] Ted joins the room [22:07:59] hildjj leaves the room [22:15:38] =JeffH leaves the room: Logged out [22:18:53] Doug Otis joins the room [22:18:57] Doug Otis leaves the room [22:21:35] mikemlb leaves the room [22:23:20] richard.barnes joins the room [22:26:16] richard.barnes leaves the room [22:28:57] richard.barnes joins the room [22:29:53] Chris Newman joins the room [22:30:19] Chris Newman leaves the room [22:31:25] Bernie joins the room [22:39:40] kellan joins the room [22:39:42] kellan leaves the room [23:04:10] hildjj joins the room [23:05:56] MrTopf leaves the room [23:06:24] hildjj leaves the room [23:07:31] Leslie Daigle joins the room [23:19:50] Leslie Daigle leaves the room [23:20:16] Leslie Daigle joins the room [23:23:06] roblan joins the room [23:28:59] Blaine Cook joins the room [23:34:24] Blaine Cook leaves the room [23:35:54] tonyhansen leaves the room [23:36:20] tonyhansen joins the room [23:41:04] roblan leaves the room [23:43:05] Leslie Daigle leaves the room [23:46:58] hildjj joins the room [23:49:40] Ted leaves the room