Hey Tim, Earlier this year we had discussions around use cases but they did not lead to more insight.
There is a document in the draft repository that talks about use cases, namely http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/ But it had never gotten a lot of attention on the list. (I don't know why.) Efforts to reach out to the Kantara UMA group for more sophisticated uses cases that motivate some security mechanisms have not produced anything either. (I believe the reason was that the scenarios focused on the user-experience aspect rather than on security differences.) If you look at the draft that Blaine and I put together recently (see http://datatracker.ietf.org/doc/draft-tschofenig-oauth-signature-thoughts/ ) then you will notice that from a security point of view there is very little difference between using message signing on the HTTP layer and using TLS with respect to a certain class of security threats. In our recommendation we actually suggest to recommend to go for the HTTP layer security because we are worried that ***operational*** aspects will go wrong in deployments. While I was convinced initially that looking at the use cases will get us further on the security questions it actually does not. Ciao Hannes PS: Btw, your feedback on the security draft would be of interest to us. On 10/27/10 9:09 PM, "ext Freeman, Tim" <tim.free...@hp.com> wrote: > On the face of it, it seems that discussion of whether and how to split the > document has derailed collection of use cases. If we had consensus on a list > of use cases, that would mean we have identified the problems we're trying to > solve. This would still allow slimy political manipulation of the process by > manipulating the use case list, but that would be progress. It's better to > have a protocol that solves a politically-defined set of problems than to have > a politically-defined protocol that solves no identified problem. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
