On 08/09/2012 07:26 PM, John Bradley wrote:
> In Vancouver the question was asked about the future of the MAC spec due to 
> it no linger having a editor.
> 
> The Chair and AD indicated a desire to have a document on the use-cases we 
> are trying to address before deciding on progressing MAC or starting a new 
> document.

Just to clarify: I don't care if its documented in an I-D,
a tune you whistle, or a bunch of emails.

I do agree with what Hannes was saying in Vancouver: that
the WG need to figure out what you want and document that
however the chairs figure is best.

S

> Phil Hunt is going to put together a summery of the Vancouver discussion and 
> we are going to work on the use-case/problem description document ASAP.
> 
> People are welcome to contribute to the use-case document.
> 
> Part of the problem with MAC has been that people could never agree on what 
> it was protecting against.  
> 
> I think there is general agreement that one or more proof mechanisms are 
> required for access tokens.
> Security for the token endpoint also cannot be ignored. 
> 
> 
> John B.
>  
> On 2012-08-09, at 1:53 PM, William Mills wrote:
> 
>> MAC fixes the signing problems encountered in OAuth 1.0a, yes there are 
>> libraries out there for OAuth 1.0a.  MAC fits in to the OAuth 2 auth model 
>> and will provide for a single codepath for sites that want to use both 
>> Bearer and MAC.
>>
>> From: Dick Hardt <dick.ha...@gmail.com>
>> To: William Mills <wmills_92...@yahoo.com> 
>> Cc: "oauth@ietf.org" <oauth@ietf.org> 
>> Sent: Thursday, August 9, 2012 10:27 AM
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>
>>
>> On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>>
>>> I find the idea of starting from scratch frustrating.  MAC solves a set of 
>>> specific problems and has a well defined use case.  It's symmetric key 
>>> based which doesn't work for some folks, and the question is do we try to 
>>> develop something that supports both PK and SK, or finish the SK use case 
>>> and then work on a PK based draft.
>>>
>>> I think it's better to leave them separate and finish out MAC which is 
>>> *VERY CLOSE* to being done.
>>
>> Who is interested in MAC? People can use OAuth 1.0 if they prefer that 
>> model. 
>>
>> For my projects, I prefer the flexibility of a signed or encrypted JWT if I 
>> need holder of key.
>>
>> Just my $.02
>>
>> -- Dick  
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to