On 08/09/2012 07:26 PM, John Bradley wrote: > In Vancouver the question was asked about the future of the MAC spec due to > it no linger having a editor. > > The Chair and AD indicated a desire to have a document on the use-cases we > are trying to address before deciding on progressing MAC or starting a new > document.
Just to clarify: I don't care if its documented in an I-D, a tune you whistle, or a bunch of emails. I do agree with what Hannes was saying in Vancouver: that the WG need to figure out what you want and document that however the chairs figure is best. S > Phil Hunt is going to put together a summery of the Vancouver discussion and > we are going to work on the use-case/problem description document ASAP. > > People are welcome to contribute to the use-case document. > > Part of the problem with MAC has been that people could never agree on what > it was protecting against. > > I think there is general agreement that one or more proof mechanisms are > required for access tokens. > Security for the token endpoint also cannot be ignored. > > > John B. > > On 2012-08-09, at 1:53 PM, William Mills wrote: > >> MAC fixes the signing problems encountered in OAuth 1.0a, yes there are >> libraries out there for OAuth 1.0a. MAC fits in to the OAuth 2 auth model >> and will provide for a single codepath for sites that want to use both >> Bearer and MAC. >> >> From: Dick Hardt <dick.ha...@gmail.com> >> To: William Mills <wmills_92...@yahoo.com> >> Cc: "oauth@ietf.org" <oauth@ietf.org> >> Sent: Thursday, August 9, 2012 10:27 AM >> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01 >> >> >> On Aug 9, 2012, at 9:52 AM, William Mills wrote: >> >>> I find the idea of starting from scratch frustrating. MAC solves a set of >>> specific problems and has a well defined use case. It's symmetric key >>> based which doesn't work for some folks, and the question is do we try to >>> develop something that supports both PK and SK, or finish the SK use case >>> and then work on a PK based draft. >>> >>> I think it's better to leave them separate and finish out MAC which is >>> *VERY CLOSE* to being done. >> >> Who is interested in MAC? People can use OAuth 1.0 if they prefer that >> model. >> >> For my projects, I prefer the flexibility of a signed or encrypted JWT if I >> need holder of key. >> >> Just my $.02 >> >> -- Dick >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth