On Tue, Mar 23, 2010 at 10:18 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > Microsoft recently offered to sponsor me to work on OAuth. For the past > few months I have participated in the WG on my own time, but I am now > able to devote a significant amount of time to this WG.
Sweet. > At the IETF post meeting this week, there was discussion of working > on both draft-hardt-oauth and draft-recordon-oauth2. David's draft > has garnered much discussion, much of it comments on what was > dropped from WRAP. Similarly, if draft-hardt-oauth was revised to > include signatures, it likely would also generate discussion. Seems > like a waste for the WG to be providing comments on two documents. So there is a bunch of good stuff in both documents. What I like from David's draft: - device profile - adding oauth_mode - single refresh token workflow (though as David points out in another thread, this needs tweaking.) What I like from WRAP: - a whole bunch of profiles and use cases that got dropped from David's draft. I don't think the OAuth 1.0 signature scheme is a good choice for OAuth 2, but we talked in person at IETF about some alternatives. Dick and I both have opinions on what we think it should look like, I'm hoping Dick will write it up soon. I'm going to write up some security considerations (I think Richard Barnes is interested, too), based mostly on the WRAP draft, plus some of the profiles from the OAuth2 draft. So short-term we are probably going to end up with more documents rather than fewer. I think the discussion is going really well and I'm happy to have so many people participating. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
