Re: [OAUTH-WG] return to draft 6 spec org?
Brian Eaton <beaton@google.com> Tue, 13 July 2010 06:22 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D27AB3A6850 for <oauth@core3.amsl.com>; Mon, 12 Jul 2010 23:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.69
X-Spam-Level:
X-Spam-Status: No, score=-105.69 tagged_above=-999 required=5 tests=[AWL=0.287, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iz1FEqA5K2pA for <oauth@core3.amsl.com>; Mon, 12 Jul 2010 23:22:34 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id A0F753A6816 for <oauth@ietf.org>; Mon, 12 Jul 2010 23:22:34 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id o6D6MaDM028041 for <oauth@ietf.org>; Mon, 12 Jul 2010 23:22:36 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1279002156; bh=WDUAtglZSZSqA+L4L84+HAF39ok=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=BvRs3qtHjkX38UKTUSov1JylqxUAy9noKVgpB7TVm33t2DeI5WtKcmihkvi8sud+f ugjv8yYiTuwqDatka2w+w==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=MJsY5SJttarN/Zp2jqW2JRBiP13YpKuHcMK6T8V2Hsas81VLSU91JcUcxz1GPMdzj AI9N/QNQRIfpVe3lR63NQ==
Received: from gyh4 (gyh4.prod.google.com [10.243.50.196]) by wpaz9.hot.corp.google.com with ESMTP id o6D6MZIn005268 for <oauth@ietf.org>; Mon, 12 Jul 2010 23:22:35 -0700
Received: by gyh4 with SMTP id 4so166858gyh.5 for <oauth@ietf.org>; Mon, 12 Jul 2010 23:22:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.80.4 with SMTP id d4mr9099562agb.11.1279002154848; Mon, 12 Jul 2010 23:22:34 -0700 (PDT)
Received: by 10.91.216.11 with HTTP; Mon, 12 Jul 2010 23:22:34 -0700 (PDT)
In-Reply-To: <C85F2547.36FD6%eran@hueniverse.com>
References: <AANLkTiknyfz3PMoP1l2wLIMB3Qptq34xMYUfyHNuhGLL@mail.gmail.com> <C85F2547.36FD6%eran@hueniverse.com>
Date: Mon, 12 Jul 2010 23:22:34 -0700
Message-ID: <AANLkTimcEk_sweiG0unTWegnbJNh4IkkMNiM65GGslvS@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] return to draft 6 spec org?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 06:22:36 -0000
On Sun, Jul 11, 2010 at 7:37 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > I think the way to solve it is to make them more detailed and normative. > This will retain the general framework as current specified, but will > provide a reference-able description of useful profiles. This will also make > it easier to discuss the security attributes of each profile. In addition, > it is probably only be useful to define the user-agent and web-based as > fully specified profiles, given that the rest are not really profiles but > vague guidelines as to how to use OAuth for other “stuff”. Actually, the old "vague guidelines" weren't vague, and they weren't guidelines. They were very specific instructions on how flows should be implemented. They dated back to the WRAP specification, which multiple organizations reviewed carefully because they were all going to implement those flows the exact same way. The new spec has turned what used to be very precise language into mush. It's introduced confusion and security problems that weren't present originally. Please fix them. The client credentials flow is a great point of comparison. Here's dick's draft: http://tools.ietf.org/html/draft-hardt-oauth-01#section-5.1.2 Here's draft 6: http://tools.ietf.org/html/draft-ietf-oauth-v2-06#section-2.9.1 Here's draft 10: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1 Dick's draft: - clear guidance on use case - obvious normative language specifying exactly one way to send a request, - one success response - one error response - normative language specifying error handling Draft 6: - vague guidance on use case - obvious normative language specifying exactly one way to send a request, - two success responses, with no way to distinguish which the server should send. But one of them is insecure. - one error response - no normative language specifying error handling Draft 10: - no guidance on use case - confusing normative language - two success responses, with no way to distinguish which the server should send. But one of them is insecure. - six different error responses (most of which don't make sense for the use case and will never be used.) - no normative language specifying error handling Cheers, Brian
- [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Eran Hammer-Lahav
- Re: [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Eran Hammer-Lahav
- Re: [OAUTH-WG] return to draft 6 spec org? Darren Bounds
- Re: [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Nat