Re: [OAUTH-WG] What needs to be done to complete MAC

Mon, 26 Nov 2012 10:41:47 -0800 

I object to tying MAC to HOK, I see them as independent and I frankly don't 
understand why folks insist that MAC can not proceed without a broader HOK 
spec.  

-bill


________________________________
 From: Phil Hunt <phil.h...@oracle.com>
To: Sergey Beryozkin <sberyoz...@gmail.com> 
Cc: "<oauth@ietf.org>" <oauth@ietf.org> 
Sent: Monday, November 26, 2012 10:28 AM
Subject: Re: [OAUTH-WG] What needs to be done to complete MAC
 
If we want to get this done we have to get agreements on the requirements for 
HOK. Several meetings ago (quebec) the group indicated that mac wasn't 
appropriate to anyone's needs. 

Some would argue that OAuth1 users arguably have less security than the simpler 
bearer token /tls model in OAuth2. This just shows the real issue of 
demonstrated need has not been properly defined and understood. 

More dialog on use cases is very helpful to moving HOK/MAC/etc forward. 

Phil

On 2012-11-26, at 10:15, Sergey Beryozkin <sberyoz...@gmail.com> wrote:

> Hi
> 
> What needs to be done to complete the MAC token spec ? Without having it 
> signed off it will be difficult to get people working with OAuth 1.0 
> convinced to move to 2.0.
> I'm seeing another user request for getting OAuth 1.0 support extended 
> further because the user expects it is more secure, and I guess because it is 
> proven to work for people, and I guess because many OAuth 1.0 users feel that 
> should stay from OAuth 2.0 because of some bad press.
> 
> Without MAC being completed the division will continue, with even more 
> misleading anti-OAuth2 posts appearing (though I guess some of the better 
> posts point to some level of complexity in 2.0).
> 
> Is it a matter of a security expert validating the text, fixing few typos, 
> and basically signing it off ?
> 
> If someone is interested then I can provide the info offline on how it MAC 
> supported in our framework to get things tested easily and such...
> 
> Cheers, Sergey
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to