[oauth] Another Charter Text Update
OAuth allows a user to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. For example, a photo-sharing site that supports OAuth would allow its users to use a third-party printing Web site to access their private pictures, without gaining full control of the user account. OAuth consists of: * A mechanism for exchanging a user's credentials for a token-secret pair which can be used by a third party to access resources on their behalf. * A mechanism for signing HTTP requests with the token-secret pair. The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon draft-hammer-oauth-00.txt, that will: * Improve the terminology used. * Embody good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap. * Promote interoperability. * Provide guidelines for extensibility. This specifically means that as a starting point for the working group OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available extension points are going to be utilized. The WG will profile OAuth 1.0 in a way that produces a specification that is a backwards compatible profile, i.e. any OAuth 1.0 and the specification produced by this group must support a basic set of features to guarantee interoperability.
It looks like OAuth is heading to the IETF, which is great news, but does amuse me since I was told by some of those involved with OAuth that they weren't going to bring it to the IETF since they "wanted to move fast." That was over a year and a half ago.
I'll reserve judgment until I see how it compares to what comes out of the IETF.
Posted by Joe on 2009-02-23
We did move fast, and shipped early and often. How many specs have seen as widespread success and adoption of OAuth during the same 1 1/2 years?
Now it is time to turn this into a standard, and the IETF process is a great one for that. The fact that it will slow things down now isn't necessarily a bad thing at this point.
If anything, I'd say that the approach taken by OAuth worked rather well, wouldn't you?
Posted by DeWitt Clinton on 2009-02-23