Re: [OAUTH-WG] Next Steps

On Wed, Mar 24, 2010 at 9:46 PM, Luke Shepard wrote: > This is probably a stupid question, but why do we need accurate timestamps? > Why is it not sufficient to use a monotonically increasing call_id to > prevent replay attacks? (this is how the Facebook sig algorithm works) Monotonically increas

Re: [OAUTH-WG] Next Steps

This is probably a stupid question, but why do we need accurate timestamps? Why is it not sufficient to use a monotonically increasing call_id to prevent replay attacks? (this is how the Facebook sig algorithm works) On Mar 24, 2010, at 9:28 PM, Raffi Krikorian wrote: but timestamps are still n

Re: [OAUTH-WG] Next Steps

Paul, I really like your problem reporting mechanism. Although diminishing, problems with time synch and general OAuth are still prevalent with our Netflix developers. Hans On Wed, Mar 24, 2010 at 6:26 PM, Paul Lindner wrote: > Right now if a client with an inaccurate clock makes an OAuth cal

Re: [OAUTH-WG] Next Steps

I am also supportive of this approach. On Mar 24, 2010, at 7:13 PM, David Recordon wrote: > I'm certainly supportive of this approach; Eran has shown that he's a > good editor. :) > > On Wed, Mar 24, 2010 at 10:11 AM, Blaine Cook wrote: >> >> >> Hi all, >> >> Hannes and I have discussed the

Re: [OAUTH-WG] Next Steps

In our experience at Yahoo, we¹ve found that many clients don¹t have the right time. You¹d think that NTP would have solved this by now, but it hasn¹t for a surprising number of clients. Are timestamps really necessary in Oauth 2.0? In OAuth 1.0a, timestamps are included in the signature to protec

Re: [OAUTH-WG] Next Steps

I'm certainly supportive of this approach; Eran has shown that he's a good editor. :) On Wed, Mar 24, 2010 at 10:11 AM, Blaine Cook wrote: > > > Hi all, > > Hannes and I have discussed the results of the WG meeting, and while > there was a lot of good discussion that happened, it seems like the

Re: [OAUTH-WG] Next Steps

Right now if a client with an inaccurate clock makes an OAuth call they are rejected. OAuth Problem Reportingincludes a mechanism to send the server's concept of 'now' to the client: The parameter named *oauth_acceptable_timestamps* consists of two numb

Re: [OAUTH-WG] Next Steps

Hey Paul, I was just curious, what do you mean by OAuth Problem Reporting and clock synchronization? I'm not familiar with those. On Mar 24, 2010, at 4:12 PM, Paul Lindner wrote: > > > Here at LinkedIn we've been following the OAuth developments and we're all > happy to see progress being ma

Re: [OAUTH-WG] Next Steps

Here at LinkedIn we've been following the OAuth developments and we're all happy to see progress being made on 2.0. From our side we'd love to see standardization of a number of defacto standards we use in our implementation. Specifically the following: * OAuth Problem Reporting -- If we h

Re: [OAUTH-WG] new sponsorship, time available for WG

WIll do. Glad to hear you have a bunch of time on your hands. On 2010-03-24, at 11:53 AM, Eran Hammer-Lahav wrote: > I would suggest that people don't spend time on editorial and formatting of > their proposed text. Just post either documents or snippets and I will > incorporate them into the s

Re: [OAUTH-WG] new sponsorship, time available for WG

I would suggest that people don't spend time on editorial and formatting of their proposed text. Just post either documents or snippets and I will incorporate them into the spec as soon as possible. I have the next 4 weeks set aside for making significant progress on this document. EHL > -

Re: [OAUTH-WG] First draft of OAuth 2.0

I might be interested too; agree that it's not core to this group. Eve On 23 Mar 2010, at 5:15 PM, Chuck Mortimore wrote: > Outside the scope of what this WG should be tackling in the core spec IMO, > but I’d be interested in working on a profile. There is a lot of this > use-case be

Re: [OAUTH-WG] First draft of OAuth 2.0

On 24 Mar 2010, at 9:54 AM, Hans Granqvist wrote: > On Tue, Mar 23, 2010 at 9:44 PM, Dick Hardt wrote: >> ... >> By keeping all profiles in one document, someone easily understands the >> different applications of the technology, and when a different use case >> comes up, they know it is availab

Re: [OAUTH-WG] What are the OAuth design principles?

On 03/23/2010 12:00 AM, Eve Maler wrote: Since the discussion in the "OAuth after-party" seemed to warrant bringing it up, I mentioned the UMA design principles/requirements document. You can find it here: http://kantarainitiative.org/confluence/display/uma/UMA+Requirements The discussion is

Re: [OAUTH-WG] new sponsorship, time available for WG

On Tue, Mar 23, 2010 at 10:18 PM, Dick Hardt wrote: > Microsoft recently offered to sponsor me to work on OAuth. For the past > few months I have participated in the WG on my own time, but I am now > able to devote a significant amount of time to this WG. Sweet. > At the IETF post meeting this w

[OAUTH-WG] Next Steps

Hi all, Hannes and I have discussed the results of the WG meeting, and while there was a lot of good discussion that happened, it seems like the next step for the WG is to buckle down and produce a stable draft that incorporates all the various proposals, in particular WRAP and OAuth 1.0a. David

Re: [OAUTH-WG] First draft of OAuth 2.0

On Tue, Mar 23, 2010 at 9:44 PM, Dick Hardt wrote: > ... > By keeping all profiles in one document, someone easily understands the > different applications of the technology, and when a different use case comes > up, they know it is available rather than having to look at a different > document

Re: [OAUTH-WG] First draft of OAuth 2.0

Yes the flows are interesting and we would be willing to work on them -Original Message- From: Chuck Mortimore [mailto:cmortim...@salesforce.com] Sent: Wednesday, March 24, 2010 9:11 AM To: Anthony Nadalin; David Recordon; Torsten Lodderstedt; Mark Mcgloin Cc: OAuth WG Subject: RE: [OAUTH

Re: [OAUTH-WG] First draft of OAuth 2.0

Agreed - I think that stems from my original note...sorry if it accidentally put words in your mouth. I do believe that the original flow was authored by Dick when he was at Microsoft, and it's my understanding that you've actually similar pushed code; I've at least seen fairly detailed inform