I agree with Bill's statement and have stated so on several occasions. I
think it's clear that we've got several use cases that are interested in
different things, and I think that there's very little chance that we're
going to have one super amazing specification that can cover all of
them. I think we're going to end up with several different kinds of
tokens with different properties, and we should work on them
independently, openly, and in parallel.
It was decided at IETF85 that we should put together a regular
discussion to help decide the fate of MAC, HOK, and other similar
efforts. For those interested in the discussion, Hannes is setting up a
series of phone conversations about this very topic:
http://www.doodle.com/smvh5pmcqc43dti3#table
-- Justin
On 11/26/2012 01:41 PM, William Mills wrote:
I object to tying MAC to HOK, I see them as independent and I frankly
don't understand why folks insist that MAC can not proceed without a
broader HOK spec.
-bill
------------------------------------------------------------------------
*From:* Phil Hunt <phil.h...@oracle.com>
*To:* Sergey Beryozkin <sberyoz...@gmail.com>
*Cc:* "<oauth@ietf.org>" <oauth@ietf.org>
*Sent:* Monday, November 26, 2012 10:28 AM
*Subject:* Re: [OAUTH-WG] What needs to be done to complete MAC
If we want to get this done we have to get agreements on the
requirements for HOK. Several meetings ago (quebec) the group
indicated that mac wasn't appropriate to anyone's needs.
Some would argue that OAuth1 users arguably have less security than
the simpler bearer token /tls model in OAuth2. This just shows the
real issue of demonstrated need has not been properly defined and
understood.
More dialog on use cases is very helpful to moving HOK/MAC/etc forward.
Phil
On 2012-11-26, at 10:15, Sergey Beryozkin <sberyoz...@gmail.com
<mailto:sberyoz...@gmail.com>> wrote:
> Hi
>
> What needs to be done to complete the MAC token spec ? Without
having it signed off it will be difficult to get people working with
OAuth 1.0 convinced to move to 2.0.
> I'm seeing another user request for getting OAuth 1.0 support
extended further because the user expects it is more secure, and I
guess because it is proven to work for people, and I guess because
many OAuth 1.0 users feel that should stay from OAuth 2.0 because of
some bad press.
>
> Without MAC being completed the division will continue, with even
more misleading anti-OAuth2 posts appearing (though I guess some of
the better posts point to some level of complexity in 2.0).
>
> Is it a matter of a security expert validating the text, fixing few
typos, and basically signing it off ?
>
> If someone is interested then I can provide the info offline on how
it MAC supported in our framework to get things tested easily and such...
>
> Cheers, Sergey
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
