On Thu, 2010-02-18 at 10:14 -0700, Eran Hammer-Lahav wrote: > A few questions we should answer before moving forward. Considering > *your* use cases and reasons for being here: > > 1. Why are you here?
I have built and plan to continue building OAuth implementations. I am also working on the UMA protocol, which currently relies heavily on OAuth. > What are you trying to solve that is not already addressed by existing > specifications (OAuth 1.0a, WRAP, etc)? OAuth 1.x currently requires signatures that include consumer key and secret, which is problematic when (distributed) policy enforcement points need consumer key material to verify signatures. OAuth has a lot of potential for securing resources, beyond its current scope of delegating access. Separating delegation from authentication further supports this. > 2. Should the WG start by taking WRAP or OAuth 1.0a as its starting > point? Something else? OAuth 1.0a. > 3. If we start from draft-hammer-oauth, what needs to change to turn > it into OAuth 2.0? Off the top of my head: - separation of token issuance (delegation) and request authentication - abstract token format w. concrete minimum supportable set - token usage profiles (e.g. bearer vs. symmetric key vs. asymmetric) > 4. If we start from draft-hardt-oauth, what needs to change to turn it > into OAuth 2.0? No comment. > 5. Do you think the approach of working first on 'how to use a token' > and then on 'how to get a token' is right? Yes. > 6. Should we go back to working on a single specification? Yes. > 7. Do you think the protocol should include a signature-based > authentication scheme? Yes. Paul > > EHL > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
