Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

Hi Hannes, thank you very much for the response and it is very useful to have such detailed information. thank you again for that. I am now reading about PoP and it is very interesting and also seeing HTTP signature as well. Our requirement in short - to achieve seamless authentication and authoriz

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

+1 /thomas/ ___ On Sep 11, 2014, at 1:10, "Torsten Lodderstedt" mailto:tors...@lodderstedt.net>> wrote: +1 Ursprüngliche Nachricht Von: John Bradley Datum:11.09.2014 02:22 (GMT+01:00) An: Mike Jones Cc: oauth@ietf.org

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Is "experimental" the correct classification? Maybe "informational" is more appropriate as both of these were discussed. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, September 10, 2014 4:50 PM To: oauth@ietf.org Subject: [

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

According to the guidelines here: https://www.ietf.org/iesg/informational-vs-experimental.html And the discussion in Toronto, it's clearly experimental. -- Justin On Sep 11, 2014, at 10:36 AM, Anthony Nadalin wrote: > Is "experimental" the correct classification? Maybe "informational" is mor

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I don't see it that way as the guidelines not clear and we should revisit this since there was no conclusion in Toronto. -Original Message- From: Richer, Justin P. [mailto:jric...@mitre.org] Sent: Thursday, September 11, 2014 8:01 AM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth@ietf

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Interesting. The definitions in that don't correspond with what ADs and other groups are doing. I heard httpbis using experimental as a placeholder for a draft that didn't have full consensus to bring back later. That was the feel I had in Toronto-that we weren't done but it was time to publ

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I think this fits. • If the IETF may publish something based on this on the standards track once we know how well this one works, it's Experimental. This is the typical case of not being able to decide which protocol is "better" before we have experience of dealing with them from a stab

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

+1 That was the key line that I took from the guidelines as well and this was my understanding of the discussion in Toronto. -- Justin On Sep 11, 2014, at 12:02 PM, John Bradley wrote: > I think this fits. > > • If the IETF may publish something based on this on the standards > trac

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

+1. Experimental seems best here. Phil > On Sep 11, 2014, at 9:03, "Richer, Justin P." wrote: > > +1 > > That was the key line that I took from the guidelines as well and this was my > understanding of the discussion in Toronto. > > -- Justin > >> On Sep 11, 2014, at 12:02 PM, John Bradle

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I also looked at https://www.ietf.org/iesg/informational-vs-experimental.html and I got the impression that an Experimental RFC would be the right category. Ciao Hannes On 09/11/2014 06:03 PM, Richer, Justin P. wrote: > +1 > > That was the key line that I took from the guidelines as well and th

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

Hi Rex, On 09/11/2014 10:15 AM, Rex Albert wrote: > Hi Hannes, > thank you very much for the response and it is very useful to have such > detailed information. thank you again for that. > I am now reading about PoP and it is very interesting and also seeing > HTTP signature as well. Thanks for

[OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)

Why does expiration only apply to the client secret[1]? If there's a need for the AS to set an expiration, isn't it broader than that and apply to the whole client or the client id? If there's a need to signal an expiration time on the client secret, doesn't it follow that the client's JSON Web Key

[OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Hi all, in private messages I have gotten questions about this IPR announcement received in March 2014 and the potential implications on the core OAuth 2.0 protocol. I was thinking about putting it on the agenda for the next IETF meeting. The feedback I am hoping to get is whether there is a conc

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Some large number of us would be roasted by our legal departments if we looked at a patent. Discussing the specifics of patents is not appropriate for a WG meeting. Someone from the IETF should look at the issue but not me. John B. On Sep 11, 2014, at 7:22 PM, Hannes Tschofenig wrote: > Hi

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

You should not bring this to the working group, other than making people aware that the disclosure exists (which you've already done). I know that I will leave the room if the contents of a patent are discussed and I will encourage others to likewise do so. Engineers should not evaluate patent

[OAUTH-WG] OAuth & Authentication: What can go wrong?

Hi all, at the last IETF meeting Mike gave a presentation about the draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was to discuss the problems that happen when OAuth gets used for authentication. The goal of this effort is to document the problems in an informational doc

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Add me -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, September 11, 2014 3:30 PM To: oauth@ietf.org Cc: Derek Atkins Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong? Hi all, at the last IETF meeting Mike gave a

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Hi Mike, as I wrote in my mail below, I am looking for feedback whether the IPR is a concern to companies. I am not asking for a patent assessment. Ciao Hannes On 09/12/2014 12:26 AM, Mike Jones wrote: > You should not bring this to the working group, other than making people > aware that the

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Hi John, don't misunderstand me: I am not planning to use our valuable OAuth WG time to go through the claims and to discuss them. Instead, I would like to point your attention to this IPR, to evaluate it within your company (with whatever fancy process you have), and to tell me at the upcoming I

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Add me, too. 2014-09-12 7:32 GMT+09:00 Anthony Nadalin : > Add me > > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Thursday, September 11, 2014 3:30 PM > To: oauth@ietf.org > Cc: Derek Atkins > Subject: [OAUTH-WG] OAuth & Authenti

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Me too. Phil > On Sep 11, 2014, at 15:49, Nat Sakimura wrote: > > Add me, too. > > 2014-09-12 7:32 GMT+09:00 Anthony Nadalin : >> Add me >> >> -Original Message- >> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Thursday, September 11, 2014 3:30

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

+1 -- Cheers, Maciej (sent from my tablet) On Sep 11, 2014 5:07 PM, "Phil Hunt" wrote: > +1. Experimental seems best here. > > Phil > > > On Sep 11, 2014, at 9:03, "Richer, Justin P." wrote: > > > > +1 > > > > That was the key line that I took from the guidelines as well and this > was my unde

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

And me Sent from my iPhone > On Sep 11, 2014, at 7:49 PM, Nat Sakimura wrote: > > Add me, too. > > 2014-09-12 7:32 GMT+09:00 Anthony Nadalin : >> Add me >> >> -Original Message- >> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Thursday, Septembe

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

+1 for me. -- Original Message -- From: "John Bradley" To: "Nat Sakimura" Cc: "Derek Atkins" ; "oauth@ietf.org" Sent: 12/09/2014 9:30:50 AM Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong? And me Sent from my iPhone On Sep 11, 2014, at 7:49 PM, Nat Sakimura wrote

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

I would like to attend as well … regards antonio On Sep 12, 2014, at 3:00 AM, Gil Kirkpatrick mailto:gil.kirkpatr...@viewds.com>> wrote: +1 for me. -- Original Message -- From: "John Bradley" mailto:ve7...@ve7jtb.com>> To: "Nat Sakimura" mailto:sakim...@gmail.com>> Cc: "Derek Atkins"

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

And me. -Tiru From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Antonio Sanso Sent: Friday, September 12, 2014 12:20 PM To: Gil Kirkpatrick Cc: Derek Atkins; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong? I would like to attend as well ... regards anto