> 1. Should we specify some token type as mandatory to implement? Why or why
> not (*briefly*)?
Briefly... No. Because it doesn't actually solve the whole problem and
mandates a particular security model.
Not so briefly....
It tries to solve the client-to-server interoperability by ensuring that there
is a supported auth type, but in fact it will mandate a security model which is
something the core spec has specifically avoided. Signed tokens (MAC etc.)
and bearer type tokens (Bearer, JWT, etc.) are different in their security
characteristics.
It also does not solve at all the problem of token compatibility, which is
somehting the auth and protected service endpoints have to agree on within a
realm. It is difficult to justify that there has to be realm to realm
compatibility.
What we actually need to support as MTI is that the clients can discover what
authentication schemes are supported for the endpoints they want to access and
select a method they support. This is very much in the SSL model of choosing
key exchange and cipher suites.
-bill
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Barry
Leiba
Sent: Thursday, November 17, 2011 12:29 AM
To: oauth WG
Subject: [OAUTH-WG] Mandatory-to-implement token type
Stephen, as AD, brought up the question of mandatory-to-implement token types,
in the IETF 82 meeting. There was some extended discussion on the point:
- Stephen is firm in his belief that it's necessary for interoperability. He
notes that mandatory to *implement* is not the same as mandatory to *use*.
- Several participants believe that without a mechanism for requesting or
negotiating a token type, there is no value in having any type be mandatory to
implement.
Stephen is happy to continue the discussion on the list, and make his point
clear. In any case, there was clear consensus in the room that we *should*
specify a mandatory-to-implement type, and that that type be bearer tokens.
This would be specified in the base document, and would make a normative
reference from the base doc to the bearer token doc.
We need to confirm that consensus on the mailing list, so this starts the
discussion. Let's work on resolving this over the next week or so, and moving
forward:
1. Should we specify some token type as mandatory to implement? Why or why not
(*briefly*)?
2. If we do specify one, which token type should it be?
Barry, as chair
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
