Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Michael, > From a programming standpoint, JSON is just easier to deal with. Consider > these two links: > > http://php.net/manual/en/book.json.php > > http://php.net/manual/en/book.xml.php > > and tell me which you'd rather deal with. It's not huge, but it's not > nothing either. To be fair,

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

On 24/04/2012 4:33 p.m., Mike Jones wrote: What specific language would you suggest be added to what section(s)? -- Mike Perhapse the last paragraph appended: " Because of the security weaknesses associated with the URI method (see Section 5), including

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

What specific language would you suggest be added to what section(s)? -- Mike -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Amos Jeffries Sent: Monday, April 23, 2012 7:10 PM To: oauth@ietf.org Subject: Re: [O

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

On 24.04.2012 13:46, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens

[OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -19

Draft 19 of the OAuth 2.0 Bearer Token Specification has been published. Addressed DISCUSS issues and comments raised for which resolutions have been agreed to. No normative changes were made. Changes made were: * Use ABNF from RFC 5234. * Added sentence "The Bearer authenticat

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : Michael B. Jones

Re: [OAUTH-WG] OAuth ABNF

We can do both (provide it as defined and in one section). But someone needs to prepare all the ABNFs first. EH From: Chuck Canning [mailto:chuck.cann...@deem.com] Sent: Monday, April 23, 2012 3:28 PM To: Eran Hammer; oauth@ietf.org WG (oauth@ietf.org) Subject: RE: OAuth ABNF As someone trying

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment VI

The treatment of client_id draft-ietf-oauth-assertions-01 seems a bit inconsistent/problematic. §4.1 & 4.2 say it's OPTIONAL. §'s 6.1 and 6.2 have, "The client_id HTTP parameter SHOULD identify the client to the authorization server" while 6.3 and 6.4 have, "The client_id HTTP parameter MUST iden

[OAUTH-WG] double normative? (draft-ietf-oauth-assertions WGLC comment V)

Sections 6.1, 6.2, 6.3 and 6.4 of http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 are all similar in that they have a paragraph at the top that ends with, "The following format and processing rules SHOULD be applied:" followed by a bullet list of specific rules. However some of the indivi

[OAUTH-WG] OAuth ABNF

During the IESG review of draft-ietf-oauth-v2, Sean Turner raised the following DISCUSS item (meaning, the specification is blocked until this is resolved): > 0) General: I found the lack of ABNF somewhat disconcerting in that > implementers would have to hunt through the spec to figure out al

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment IV

§4.2* discusses the use of the scope parameter in an authorization grant request. This section should probably reference §3.3 of draft-ietf-oauth-v2** for the formal definition of scope and, subsequently, a fair amount of text can be removed from the assertions draft. * http://tools.ietf.org/htm

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Michael Thomas writes: > Derek Atkins wrote: >> Michael Thomas writes: >> >>> Why not MUST ASN.1 while you're at it? JSON has won in case >>> you'all haven't noticed it. >> >> Well, now that you mention it... ;-) >> >> But seriously, we're basing this work on an RFC that was just release >> si

Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

[I accidentally sent just to Barry my take on his addition which I think is fine except for one thing addition...] Barry Leiba wrote: You sent it just to me. I think it's a reasonable addition, so please send it to the distribution (which at the moment does not include the OAuth list, just the

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Stephen Farrell wrote: On 04/20/2012 03:40 PM, Michael Thomas wrote: Why not MUST ASN.1 while you're at it? JSON has won in case you'all haven't noticed it. Well, I also remember when XML won over ASN.1, or was that some RPC thing? Seems like a new format wins about every five years or so, on

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

On 2012/04/21 11:41, Stephen Farrell wrote: On 04/20/2012 03:40 PM, Michael Thomas wrote: Why not MUST ASN.1 while you're at it? JSON has won in case you'all haven't noticed it. Well, I also remember when XML won over ASN.1, or was that some RPC thing? Seems like a new format wins about ever

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

On Fri, Apr 20, 2012 at 10:41 PM, Stephen Farrell wrote: > > > On 04/20/2012 03:40 PM, Michael Thomas wrote: > > > > Why not MUST ASN.1 while you're at it? JSON has won in case > > you'all haven't noticed it. > > Well, I also remember when XML won over ASN.1, or > was that some RPC thing? Of cou

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

I want to completely agree with what Paul wrote: "What is a pain on the client side is conditional code that has to be followed in order to consume whatever the server wants to send. The client should have a single code path knowing it will get what it wants". BTW, this is also part of the arg

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

The point is that existing WF clients have been written to not use the resource parameter because in the past, that parameter hasn't been available or hasn't been reliable. If the resource parameter is required, this older method of fetching the host meta and constructing the url to fetch the user

[OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-xml-01.txt

New revision of the Alternate Encodings draft is now posted to the IETF data tracker. http://tools.ietf.org/html/draft-richer-oauth-xml-01 -- Justin Begin forwarded message: From: mailto:internet-dra...@ietf.org>> Subject: New Version Notification for draft-richer-oauth-xml-01.txt Date: April

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Derek Atkins wrote: Michael Thomas writes: Why not MUST ASN.1 while you're at it? JSON has won in case you'all haven't noticed it. Well, now that you mention it... ;-) But seriously, we're basing this work on an RFC that was just release six months ago and it requires XML. Why be so quic

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Tim Bray writes: > There's a disconnect here. Mnot and I (at least) have argued that > there are very specific problems and costs associated with going > multi-format. I’ve heard lots of people say "Well, I support > multi-format” but I haven’t heard any specific responses explaining > why those

Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

Michael Thomas writes: > > Why not MUST ASN.1 while you're at it? JSON has won in case > you'all haven't noticed it. Well, now that you mention it... ;-) But seriously, we're basing this work on an RFC that was just release six months ago and it requires XML. Why be so quick to drop somethin

Re: [OAUTH-WG] IIW and OAuth

As I understand it, the tag of "Yukon Day" is a suggestion and doesn't change the unconference format, and IIW attendees are free to ignore the theme, just like NSTIC day last time around. -- Justin On 04/23/2012 10:22 AM, John Bradley wrote: I was talking to Phil last week and Thursday is o

Re: [OAUTH-WG] IIW and OAuth

I was talking to Phil last week and Thursday is open IIW time like Tuesday - Wednesday. I had thought it was a Yukon day as well, but that is apparently not happening. I think there is also a OASIS trust elevation TC thing Marry is trying to do on Thursday as well at IIW. John B. On 2012-04-2

Re: [OAUTH-WG] Updated Charter to the IESG (this weekend)

Eve, A number of us want to hold a session on the Tuesday of IIW to discuss the various options, that people have built. UMA is one of the more advanced ones, but we also have Ping, MITRE, AOL, and others. There is a fair amount of overlap between them. If the AS RS work is not included in t

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment III

The following text appears in §4.1 and §4.2 defining (describing because it's already defined in core?) the client_id parameter, "client_id OPTIONAL. The client identifier as described in Section 3of OAuth 2.0 [ I-D.ietf.oauth-v2

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment II

The third paragraph of §4.1* has, "The following section defines the use of assertions as client credentials as an extension of Section 3.2of OAuth 2.0 [ I-D.ietf.oauth-v2

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment

§6.1 on Client authentication* has the following requirement, "The Principal MUST identify an authorized accessor. If the assertion is self-issued, the Principal SHOULD be the client_id." which doesn't really make sense for client authentication. The self-issuedness of the assertion should have

Re: [OAUTH-WG] WGLC on Assertion Drafts

Just a note (to myself as much as anything) that that same text is also in §6.2, §6.3 & §6.4 and should updated for all occurrences. On Fri, Apr 13, 2012 at 12:55 PM, Zeltsan, Zachary (Zachary) < zachary.zelt...@alcatel-lucent.com> wrote: > Chuck, > > ** ** > > The intent is clear. Perhaps th