Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-10-02 Thread Breno
I support breaking the document into two parts. Methods to access APIs are not going to be many -- there are currently two proposals on the table, OAuth1.0-like signatures and signed JSON tokens -- but the existing proposals are fundamentally different. There's probably little to gain in writing t

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-10-01 Thread Eran Hammer-Lahav
Given the overwhelming support for this proposal, I am officially asking the chairs to make a consensus call to break the current document into two parts. This will be done with the understanding that the result will be reviewed by the working group again once the parts are stable to determine i

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-10-01 Thread Pelle Wessman
+1, I think this sounds like a sensible path forward On Tue, Sep 28, 2010 at 8:25 AM, Eran Hammer-Lahav wrote: > (Please take a break from the other threads and read this with an open > mind. I have tried to make this both informative and balanced.) > > > > --- IETF Process > > > > For those unfa

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-30 Thread Dick Hardt
On 2010-09-30, at 11:33 AM, Eran Hammer-Lahav wrote: >> -Original Message- >> From: Dick Hardt [mailto:dick.ha...@gmail.com] >> Sent: Thursday, September 30, 2010 7:45 AM > >> The suggested change does not address the issue that myself and others had >> raised with having signatures be i

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-30 Thread Eran Hammer-Lahav
> -Original Message- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Thursday, September 30, 2010 7:45 AM > The suggested change does not address the issue that myself and others had > raised with having signatures be in the core. The suggestion was that having > signatures be a d

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-30 Thread Dick Hardt
Note there will be three documents not two. The suggested change does not address the issue that myself and others had raised with having signatures be in the core. The suggestion was that having signatures be a different spec made them reusable by other groups and enabled a more comprehensive

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-30 Thread Lukas Rosenstock
+1 While it's good to have one document, it's better to have two good documents instead of one that we're unhappy with. There'll be "Implementer's Guides" and "Tutorials" later who will do the job of explaining how to make sense of the two (which of course doesn't mean I'm advocating specificatio

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Luke Shepard
Okay, I'm fine with proceeding down this path. My takeaway is that I don't care really where signatures live, but we definitely need a threat analysis and security considerations document dealing with how and in what contexts to use bearer tokens. On Sep 28, 2010, at 10:08 AM, Eran Hammer-Lahav

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Thomas Hardjono
+1 I think this is a reasonable & practical proposal. /thomas/ From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, September 28, 2010 2:26 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] Looking for a compromise on signatures

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Eran Hammer-Lahav
Thanks Mark. > -Original Message- > From: Mark Mcgloin [mailto:mark.mcgl...@ie.ibm.com] > Sent: Wednesday, September 29, 2010 8:28 AM > I think acquiring and using a token can be considered core as you always > need both. I don't have valid security consideration linkage between > acquiri

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Mark Mcgloin
Eran Hammer-Lahav wrote on 29/09/2010 15:50:33: > > > > -1 to splitting acquiring and using a token. It may not confuse > people actively > > engaged in the WG but what about everyone else? > > We are already splitting it, by putting signatures elsewhere. Just > because you might think bearer to

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Anthony Nadalin
side stepping. From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Luke Shepard Sent: Tuesday, September 28, 2010 9:16 AM To: Eran Hammer-Lahav Cc: OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues Eran- Thank

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Eran Hammer-Lahav
> -Original Message- > From: Mark Mcgloin [mailto:mark.mcgl...@ie.ibm.com] > Sent: Wednesday, September 29, 2010 12:55 AM > I echo Dick's sentiment, mildly > > -1 to splitting acquiring and using a token. It may not confuse people > actively > engaged in the WG but what about everyone

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-29 Thread Mark Mcgloin
I echo Dick's sentiment, mildly -1 to splitting acquiring and using a token. It may not confuse people actively engaged in the WG but what about everyone else? Also, as Torsten and I look at security considerations, I wonder if there are some examples that link the threat model for acquiring a to

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Eran Hammer-Lahav
> -Original Message- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Tuesday, September 28, 2010 5:09 PM > I am mildly concerned that breaking the spec into multiple parts makes it > harder for the spec reader to understand what is going on. Where does a > complete example of ge

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Dick Hardt
I am mildly concerned that breaking the spec into multiple parts makes it harder for the spec reader to understand what is going on. Where does a complete example of getting and using a token? Imagine how confusing HTTP would be if the request and response were in separate specs. I'm not sure t

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Lu, Hui-Lan (Huilan)
, 2010 2:26 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] Looking for a compromise on signatures and other open issues (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Lu, Hui-Lan (Huilan)
2:26 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] Looking for a compromise on signatures and other open issues (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Peter Saint-Andre
On 9/28/10 12:25 AM, Eran Hammer-Lahav wrote: > (Please take a break from the other threads and read this with an open > mind. I have tried to make this both informative and balanced.) > > --- IETF Process > > For those unfamiliar with the IETF process, we operate using rough > consensus. This me

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Keenan, Bill
+1 Eran, thanks for framing this up... On Sep 28, 2010, at 12:14 PM, Brian Campbell wrote: > +1 seems like a pragmatic compromise > > On Tue, Sep 28, 2010 at 12:44 PM, Marius Scurtescu > wrote: >> On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: >>> +1 I think this is a great path forw

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread John Panzer
+1. -- John Panzer / Google jpan...@google.com / abstractioneer.org / @jpanzer On Mon, Sep 27, 2010 at 11:25 PM, Eran Hammer-Lahav wrote: > (Please take a break from the other threads and read this with an open > mind. I have tried to make this both informative

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Brian Campbell
+1 seems like a pragmatic compromise On Tue, Sep 28, 2010 at 12:44 PM, Marius Scurtescu wrote: > On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: >> +1 I think this is a great path forward > > +1 > > > Marius > ___ > OAuth mailing list > OAuth@i

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Marius Scurtescu
On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: > +1 I think this is a great path forward +1 Marius ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Eran Hammer-Lahav
> -Original Message- > From: Luke Shepard [mailto:lshep...@facebook.com] > Sent: Tuesday, September 28, 2010 9:16 AM > As far as the charter: this workgroup has had a focus on building an > interoperable, easy-to-use, developer-friendly standard that is actually used. > With the goal of

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Luke Shepard
Eran- Thanks for writing a great explanation of where we are so far. I agree that it makes sense to logically separate "getting a token" from "using a token", and we should structure it so that there can be extension specs about how to use a token. It also seems clear that we should do some mor

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread George Fletcher
+1 I think this is a great path forward On 9/28/10 2:25 AM, Eran Hammer-Lahav wrote: (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar with the IETF process, we operat

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Stefanie Dronia
+1 to split the spec into multiple parts Am 28.09.2010 08:25, schrieb Eran Hammer-Lahav: (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar with the IETF process, we op

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Justin Richer
+1 on the split. I think it's an elegant approach, and it won't be any harder to follow than a monolithic spec with multiple optional sections. Especially if we put together the right guidance as a gateway to the spec. OAuth 1.0 (and -a) really talk about three different things: how to get a token

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-28 Thread Manger, James H
Sounds great Eran, > 1. Add a parameter to the token response to include an extensible token > scheme. Yes. I suggest a parameter named "scheme". The value can be an HTTP authentication scheme name (eg "scheme":"BASIC") for which the response is providing credentials. Not all possibilities

[OAUTH-WG] Looking for a compromise on signatures and other open issues

2010-09-27 Thread Eran Hammer-Lahav
(Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar with the IETF process, we operate using rough consensus. This means most people agree and no one strongly objects. If some