; >both random-hex tokens and signed JWTs is equally powerful. The fact
> >that I can reuse 90% of that code and also get signed MAC tokens is
> >likewise powerful.
> >
> >Thus, I stand by my originally-suggested text and respectfully submit it
> >to the editor and workin
kewise powerful.
>
>Thus, I stand by my originally-suggested text and respectfully submit it
>to the editor and working group for consideration of inclusion in this
>section.
>
> -- Justin
>
>On 01/26/2012 12:49 PM, Eran Hammer wrote:
>>
>>> -Original Messag
respectfully submit it
to the editor and working group for consideration of inclusion in this
section.
-- Justin
On 01/26/2012 12:49 PM, Eran Hammer wrote:
-Original Message-
From: Justin Richer [mailto:jric...@mitre.org]
Sent: Thursday, January 26, 2012 6:07 AM
To: Eran Hammer
Cc:
ailto:jric...@mitre.org]
>> Sent: Thursday, January 26, 2012 6:07 AM
>> To: Eran Hammer
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] AD Review of -22 (part II)
>>
>> I realize that -23 is already published with the below text, but since this
>> is a
>> wh
> -Original Message-
> From: Justin Richer [mailto:jric...@mitre.org]
> Sent: Thursday, January 26, 2012 6:07 AM
> To: Eran Hammer
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] AD Review of -22 (part II)
>
> I realize that -23 is already published with the below text
Yes Justin's rewording makes it sound less like non-interoperability is a
desired outcome.
On 2012-01-26, at 11:06 AM, Justin Richer wrote:
> I realize that -23 is already published with the below text, but since this
> is a whole new section and nobody else seemed to bring it up, I wanted to
I realize that -23 is already published with the below text, but since
this is a whole new section and nobody else seemed to bring it up, I
wanted to make sure it wasn't missed by the WG.
Suggested non-trivial clarifications:
-
(1) 1.3.4 - "previously arran
As before,
Thanks
S
On 21 Jan 2012, at 02:53, Eran Hammer wrote:
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Stephen Farrell
>> Sent: Thursday, October 13, 2011 10:13 AM
>
>> Original list of nits:
>> --
>>
>
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Stephen Farrell
> Sent: Thursday, October 13, 2011 10:13 AM
> Original list of nits:
> --
>
> - Intro: Maybe add some ascii-art showing the roles of the user, browser,
>
Same response as for part I from me,
S
On 01/21/2012 01:04 AM, Eran Hammer wrote:
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Stephen Farrell
Sent: Thursday, October 13, 2011 10:13 AM
Suggested non-trivial clarifications:
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Stephen Farrell
> Sent: Thursday, October 13, 2011 10:13 AM
> Suggested non-trivial clarifications:
> -
>
> (1) 1.3.4 - "previously arranged" might trigge
FWIW, from my p-o-v everything here is either ok,
me being dumb (the password one, I need to check),
part of some other thread, or stuff that's ok to
resolve if necessary at IETF LC or later.
So - I'd say firing away with -23 and getting this
out the door (once current threads resolve themselves
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Stephen Farrell
> Sent: Thursday, October 13, 2011 10:13 AM
> List 1 - Fairly sure these need changes:
>
>
> (1) In 2.3.1 MUST the AS support both HT
ustin Richer ; William Mills ;
"oauth@ietf.org"
Sent: Thursday, November 3, 2011 9:47 AM
Subject: Re: [OAUTH-WG] AD review of -22
+1
I note that RFCs 2616 & 2617 only reference each other. There is no MTI text.
It just references them.
It may be reasonable to observe that there
-Original Message-
From: Justin Richer [mailto:jric...@mitre.org]
Sent: Thursday, November 03, 2011 5:46 AM
To: William Mills
Cc: Eran Hammer-Lahav; John Bradley; Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22
This is exactly what I was thinking of. If a give
nterop is not really an issue ATM.
>
> EHL
>
>> -Original Message-
>> From: Justin Richer [mailto:jric...@mitre.org]
>> Sent: Thursday, November 03, 2011 5:46 AM
>> To: William Mills
>> Cc: Eran Hammer-Lahav; John Bradley; Torsten Lodderstedt; oauth
EHL
> -Original Message-
> From: Justin Richer [mailto:jric...@mitre.org]
> Sent: Thursday, November 03, 2011 5:46 AM
> To: William Mills
> Cc: Eran Hammer-Lahav; John Bradley; Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of -22
>
> This is exactly
is the value of mandating a token type?
>
>
>
> -bill
>
>
>
>
> __
> From: Eran Hammer-Lahav
> To: John Bradley ; Torsten Lodderstedt
>
> Cc: "oauth@ietf.org"
> Sent: Wednesday, November 2, 2011 1:11 PM
> Subject
an Hammer-Lahav
To: John Bradley ; Torsten Lodderstedt
Cc: "oauth@ietf.org"
Sent: Wednesday, November 2, 2011 1:11 PM
Subject: Re: [OAUTH-WG] AD review of -22
Do you want to see no change or adjust it to client must implement both, server
de
e library'.
>>
>> EHL
>>
>> ________
>> From: Stephen Farrell [stephen.farr...@cs.tcd.ie]
>> Sent: Wednesday, November 02, 2011 1:45 PM
>> To: John Bradley
>> Cc: Eran Hammer-Lahav; oauth@ietf.org
>> Subjec
t: Wednesday, November 02, 2011 1:45 PM
> To: John Bradley
> Cc: Eran Hammer-Lahav; oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of -22
>
> So perhaps this is the interesting point of difference.
>
> On 11/02/2011 08:37 PM, John Bradley wrote:
>> It is up to the ser
n.farr...@cs.tcd.ie]
Sent: Wednesday, November 02, 2011 1:45 PM
To: John Bradley
Cc: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22
So perhaps this is the interesting point of difference.
On 11/02/2011 08:37 PM, John Bradley wrote:
> It is up to the server to decide what fo
If we must define a mandatory token type then bearer + TLS would be my
suggestion.
regards,
Torsten.
Am 02.11.2011 21:28, schrieb Stephen Farrell:
Hi Torsten,
On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote:
Hi Stephen,
I'm concerned about your proposal (7) to make support for MAC a MUST
So perhaps this is the interesting point of difference.
On 11/02/2011 08:37 PM, John Bradley wrote:
It is up to the server to decide what formats it will support.
With IETF protocols, its IETF consensus that decides this in
almost all cases that affect interop and it is therefore not
up to th
The issue is that the service provider will likely only accept ONE token format
in practice. The security requirements of the scenario dictate choice of Mac or
bearer or for that matter any other new scheme.
An MTI would complicate the spec by implying a choice of tokens by the client
because
un...@ietf.org] On Behalf Of John
> Bradley [ve7...@ve7jtb.com]
> Sent: Wednesday, November 02, 2011 1:06 PM
> To: Torsten Lodderstedt
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of -22
>
> +1
> On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
>
>>
Agnostic sounds like a fine word.
I'd need to have it demonstrated to me that it doesn't
mean non-interoperable in this case.
S.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22
+1
Leave the current text as is, keep this part of OAuth token-type agnostic.
-- Justin
On Wed, 2011-11-02 at 13:18 -0700, Phil Hunt wrote:
> +1
>
>
> Phil
>
>
> @independentid
> www.independent
Hi Torsten,
On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote:
Hi Stephen,
I'm concerned about your proposal (7) to make support for MAC a MUST for
clients and BEARER a MAY only. In my opinion, this does not reflect the
group's consensus.
That wasn't quite my comment, which is below:
(7)
+1
Leave the current text as is, keep this part of OAuth token-type
agnostic.
-- Justin
On Wed, 2011-11-02 at 13:18 -0700, Phil Hunt wrote:
> +1
>
>
> Phil
>
>
> @independentid
> www.independentid.com
> phil.h...@oracle.com
>
>
>
>
>
>
>
>
> On 2011-11-02, at 1:06 PM, John Bradley
+1
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On 2011-11-02, at 1:06 PM, John Bradley wrote:
> +1
> On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
>
>> Hi Stephen,
>>
>> I'm concerned about your proposal (7) to make support for MAC a MUST for
>> clients and BEA
Lodderstedt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22
+1
On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
Hi Stephen,
I'm concerned about your proposal (7) to make support for MAC a MUST for
clients and BEARER a MAY only. In my opinion, this does not reflect the gr
+1
On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
> Hi Stephen,
>
> I'm concerned about your proposal (7) to make support for MAC a MUST for
> clients and BEARER a MAY only. In my opinion, this does not reflect the
> group's consensus. Beside this, the security threat analysis justifies
Hi Stephen,
I'm concerned about your proposal (7) to make support for MAC a MUST for
clients and BEARER a MAY only. In my opinion, this does not reflect the
group's consensus. Beside this, the security threat analysis justifies
usage of BEARER for nearly all use cases as long as HTTPS (incl. s
I have not seen any responses to these items so I assume the group is in
agreement with the comments made. I will push out a revised ID addressing these
items in a few days.
EHL
From: oauth-boun...@ietf.org [oauth-boun...@ietf.org] On Behalf Of Stephen
35 matches
Mail list logo
