Re: [OAUTH-WG] Signatures, Why?
Eve Maler <eve@xmlgrrl.com> Fri, 12 March 2010 22:09 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 634C33A68CD for <oauth@core3.amsl.com>; Fri, 12 Mar 2010 14:09:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.018
X-Spam-Level: **
X-Spam-Status: No, score=2.018 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FROM_DOMAIN_NOVOWEL=0.5, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, HOST_MISMATCH_NET=0.311, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7i4PpdTxLaI for <oauth@core3.amsl.com>; Fri, 12 Mar 2010 14:09:23 -0800 (PST)
Received: from mail.promanage-inc.com (static-98-111-84-13.sttlwa.fios.verizon.net [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 23E213A68A9 for <oauth@ietf.org>; Fri, 12 Mar 2010 14:09:23 -0800 (PST)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id o2CM9MVB021754 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 12 Mar 2010 14:09:23 -0800
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <daf5b9571003121106s2d18e486t741d4af8d21ea2e@mail.gmail.com>
Date: Fri, 12 Mar 2010 14:09:22 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <750B0A26-1A2E-4EF6-9151-2BC8DED4FE50@xmlgrrl.com>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im> <4B99D783.1090905@lodderstedt.net> <B1DB9DB1-74F9-4E6C-83C3-22DB27648B92@xmlgrrl.com> <daf5b9571003121106s2d18e486t741d4af8d21ea2e@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2010 22:09:24 -0000
Agreed that token signing is separate from message signing as a proposition. I just happened to stick all of our "signing" conversations into one bucket of notes... Sorry that was confusing. Eve On 12 Mar 2010, at 11:06 AM, Brian Eaton wrote: > On Fri, Mar 12, 2010 at 10:22 AM, Eve Maler <eve@xmlgrrl.com> wrote: >> It was observed that the argument in the OAuth community about token size >> seems to be related to token signing, thusly: those who are willing to >> require the Authorization Server to be stateless need large meaningful >> tokens and want them signed; those who can use a stateful Authorization >> Server can use small opaque tokens that don't need signing. > > This seems orthogonal. The confusion in this working group has not, > for the most part, been about whether access tokens should be signed. > > The debate has been more about whether clients need to use signatures > when requesting access tokens, or when using access tokens. On one > side there are people who would prefer bearer tokens, and on the other > side there are folks who want crypto in various bits of the protocol > to meet different use cases. > > Cheers, > Brian Eve Maler eve@xmlgrrl.com http://www.xmlgrrl.com/blog
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- [OAUTH-WG] Signatures, Why? Blaine Cook
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Leif Johansson
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Peter Saint-Andre
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Paul Lindner
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Eve Maler