Re: [apps-discuss] HTTP MAC Authentication Scheme

Stephen Farrell <> Fri, 03 June 2011 12:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C2180E0714; Fri, 3 Jun 2011 05:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QpMnUKF7BM61; Fri, 3 Jun 2011 05:26:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B4A26E06D3; Fri, 3 Jun 2011 05:26:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49D41171C30; Fri, 3 Jun 2011 13:26:55 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1307104014; bh=Q+JdJI1kXBA9eH 9b6Y2qCB0QRbUR9H7RHhiWCvjUFeo=; b=N1PKaHRptFYeLUajLdGdur0Ld5LqE0 HDQhAvu/rkDmIz/pMpxIsn/xp0YhfCrvAtZDQ3Ckz4pe0PGUSRB/b4TyISIpNk5L Ut6/1asppg+oA4/BTDaK78mO9wd+TvhUXp45fQ5C764h2n3xdmNcKfbnZbap8KtZ w03WP+l5n27LTfv+KLoMWQh5V4zDTyrv1FUqQCAf2rucEmDlcg4DiDs1ALGWn4Cf 9Eqqh8HCNRD5t6jl9vTvgXxHrLf4RKyiJMqyuocfjGBvW2eHosPx7zAymzl94dZP cLIcOHy7dXl/cfTDl5J6kf4W2VdZayPXy0jVKKodwzKxu9IK0tMPlWEQ==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id bBe2TUES7iDn; Fri, 3 Jun 2011 13:26:54 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 74227171C2E; Fri, 3 Jun 2011 13:26:51 +0100 (IST)
Message-ID: <>
Date: Fri, 03 Jun 2011 13:26:28 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: OAuth WG <>, HTTP Working Group <>, "" <>, "" <>
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jun 2011 12:26:59 -0000

Hi Dave,

On 02/06/11 22:16, Dave CROCKER wrote:
> Stephen,
> On 6/1/2011 5:16 AM, Stephen Farrell wrote:
>> Just on DOSETA - that's not currently got any official
>> home in the IETF so its not something that would be right
>> to reference at this point (unless the oauth WG wanted to
>> adopt DOSETA but I'd be very surprised if that were the
>> case for timing reasons).
> I'm confused on two counts.  (To be honest, of course, I'm confused
> about many points, but two of them are relevant to this thread...)
> One, of course, is that I've been actively raising DOSETA in various
> IETF venues for the different groups to considering adopting and/or
> adapting it.  As such, discussion of DOSETA permits exploring the
> possibility of adoption and/or adaptation.

I don't get the confusion aspect there, but the rest below
might clarify.

> The second is that you appear to be stating a policy that a working
> group is only permitted to reference things which are currently and
> officially IETF work items.  I suspect that that is not what you meant,
> so at the least, please clarify what you do mean.

Right. I wasn't stating any general policy.

What I meant was that the oauth WG needs to get oauth2.0 done
and that seems to require also getting the mac scheme done, so
adding a dependency to something at an early stage of development
(like DOSETA) at this point would not be a good plan for oauth.
That's all. Exploring  whether DOSETA or something similar is
useful is a fine thing to do, its just a bit early for oauth.

> If you really do mean anything like the interpretation I just
> summarized, please explain its basis.
>> To be clear, as an individual, I do think that "something
>> like DOSETA" is a really good idea and maybe DOSETA will
>> turn out to be that something, I don't know.
> If it is not acceptable to 'reference' DOSETA now and here, then how
> will the determination of its utility be made?

Following our usual highly-predictable process I guess;-)

I assume that the next step would be for a bunch of interested
folks to figure out where and when it might make sense to do
more on DOSETA.


> Thanks.
> d/