<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'>Unless there are any objections, I will change this voting period to match that of the CX working group where the vote will open Saturday February 14th.<br><br>--David<br><br>----- "David Recordon" <david@sixapart.com> wrote:
<br>> The Specifications Council recommends that the Foundation members approve the creation of the OpenID and OAuth Hybrid Extension working group (<a href="http://openid.net/pipermail/specs-council/2009-January/000099.html%29" target="_blank">http://openid.net/pipermail/specs-council/2009-January/000099.html)</a>, as proposed below and found at http://wiki.openid.net/OpenID-and-OAuth-Hybrid-Extension.<br>> <br>> <div>If you are a member of the OpenID Foundation, you'll be able to login and vote on the creation of this new working group after this 14-day notice period. The vote thus will be from Wednesday February 11th through Wednesday February 18th. All votes are held in US Pacific Time.</div><div><br>> </div><div>--David</div><div><br>> </div><div><br>> </div><div><div><b>Background Information</b></div><div>OpenID has always been focused on how to enable user-authentication within the browser. Over the last year, OAuth has been developed to allow authorization either from within a browser, desktop software, or mobile devices. Obviously there has been interest in using OpenID and OAuth together allowing a user to share their identity as well as grant a Relying Party access to an OAuth protected resource in a single step. A small group of people have been working on developing an extension to OpenID which makes this possible in a collaborative fashion within http://code.google.com/p/step2/. This small project includes a draft spec and Open Source implementations which the proposers would like to finalize within the OpenID Foundation. </div><div><br>> </div><div><b>Working Group Name</b></div><div>OpenID OAuth Hybrid Working Group </div><div><br>> </div><div><b>Purpose</b></div><div>Produce a standard OpenID extension to the OpenID Authentication protocol that provides a mechanism to embed an OAuth approval request into an OpenID authentication request to permit combined user approval. The extension addresses the use case where the OpenID Provider and OAuth Service Provider are the same service. To provide good user experience, it is important to present a combined authentication and authorization screen for the two protocols. </div><div><b><br>> </b></div><div><b>Scope</b></div><div>The proposed work is as follows: </div><div><br>> </div><div> * Extend the OpenID authentication request/response and the assertion verification mechanism, to embed an OAuth approval request into an OpenID authentication request. Assuming the OpenID Provider and OAuth Service Provider are the same service.</div><div> * Insulation of each protocol from the other, both for backwards compatibility as well as to enable OpenID and OAuth to evolve and incorporate additional features without requiring reviews of the combined usage. Especially, to allow future support for unregistered OAuth consumers.</div><div> * Security analysis and best practices </div><div><br>> </div><div>Out of scope</div><div><br>> </div><div> * The OpenID extension does not define an unregistered OAuth consumers mode, but instead ensures that such support would be possible by protocol insulation. The unregistered consumers mode should be defined separately in the OAuth specifications. </div><div><br>> </div><div><b>Anticipated Contributions</b></div><div>Finalize the OpenID OAuth Extension spec (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html) as an official OpenID Extension. </div><div><br>> </div><div><b>Proposed List of Specifications</b></div><div>OpenID OAuth Extension 1.0. Specification completion by Q1 2009. </div><div><br>> </div><div><b>Anticipated audience or users of the work</b></div><div> * OpenID Providers and Relying Parties</div><div> * OAuth Consumers and Service Providers</div><div> * Implementers of OpenID Providers and Relying Parties </div><div><br>> </div><div><b>Language in which the WG will conduct business</b></div><div>English. </div><div><br>> </div><div><b>Method of work</b></div><div>E-mail discussions on the working group mailing list and working group conference calls. </div><div><b><br>> </b></div><div><b>Basis for determining when the work of the WG is completed</b></div><div>The work will be completed once it is apparent that maximal consensus on the protocol proposal has been achieved within the working group, consistent with the purpose and scope. </div><div><br>> </div><div><b>Proposers</b></div><div> * Ben Laurie, benl@google.com, Google</div><div> * Breno de Medeiros, breno@google.com, Google</div><div> * David Recordon, drecordon@sixapart.com, Six Apart</div><div> * Dirk Balfanz, balfanz@google.com, Google</div><div> * Joseph Smarr, jsmarr@plaxo.com, Plaxo</div><div> * Yariv Adan, yariv@google.com, Google</div><div> * Allen Tom, atom@yahoo-inc.com , Yahoo</div><div> * Josh Hoyt, josh@janrain.com , JanRain </div><div><br>> </div><div><b>Initial Editors</b></div><div> * Dirk Balfanz, balfanz@google.com, Google</div><div> * Breno de Medeiros, breno@google.com, Google</div><br>> </div><br>> _______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
</div></body></html>