Re: [OAUTH-WG] Mandatory-to-implement token type

Michael Thomas <> Fri, 02 December 2011 02:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 08FB81F0C5E for <>; Thu, 1 Dec 2011 18:57:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I8DBkSVjLX8z for <>; Thu, 1 Dec 2011 18:57:43 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5AC371F0C35 for <>; Thu, 1 Dec 2011 18:57:43 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id pB22vZOk028918 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 1 Dec 2011 18:57:35 -0800
Message-ID: <>
Date: Thu, 01 Dec 2011 18:57:35 -0800
From: Michael Thomas <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090605 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Stephen Farrell <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2119; t=1322794657; x=1323658657; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory-to-implement=20t oken=20type |Sender:=20 |To:=20Stephen=20Farrell=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=gsxCmao/8BbJaWLFTHr1niGTlIpn8zRfjzJY6iW76vU=; b=rNSTDvuHdxAe4iQgOq22lEC8mp3O3xqRXHeWE+d6VNga+s7svn5PFOYKUO FCEcLyoaYAYRWraZzgKDGTHKl93NWYNsKg9WkH8CJDv/y/A3p+GKLI6wNCpe QllEDVqK4g2yY4qKf0zIPNHzvJlnT8WiMiR4GPIdOD5G1siPwEkIw=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
Cc: Barry Leiba <>, oauth WG <>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Dec 2011 02:57:44 -0000

On 12/01/2011 06:22 PM, Stephen Farrell wrote:
> > If something is required to
>> be implemented but is unused -- which will happen if the profile
>> chosen by the SDK doesn't need the required one -- you're not going
>> to get better interoperability, you're just going to get untested code.
> That'd be a fair point if the MTI wasn't used.
> While that might be true of MAC, I doubt it'd be true for bearer,
> which is what seemed to be the thing folks in the room in Taipei
> would pick, had they to pick.
> So yes, your argument would be telling if the WG chose a rare
> beast as the MTI thing.
>> I don't see what the big deal is about saying that discovery, etc, is
>> for a -bis release of this PS. That would take care of your problem of
>> reaching back into this PS to change just this part. And what are the
>> chances of not having a recycle anyway with any well-deployed PS?
>> Zero?
> That's not a reason to not fix an easily fixable thing now though.

What bothers me here is overreach. If the wg has come to the conclusion
that the standardizing the status quo of purpose built sdk's is a Good Thing,
then that is still a pretty good reason to create a standard -- if nothing else,
it dissuades people from badly rolling their own.  Stopping there is ok, IMO.
It still serves a purpose.

Also: it seems to me that the longer term solution for libraries implementing
oauth is not to have a single point of interoperability, but a suite of algorithms/
methods that satisfy the various policies of many/most deployments. That
is, they're going to need to MUST IMPLEMENT a whole lot of things, not just one.

So I just don't see this MUST as doing anything especially useful, and has the
downside of making perfectly reasonable purpose-build SDK's "non-conformant".
That said, I don't think the world will fail to revolve if this goes in there. Mostly,
I think that it will be ignored. But that's what bothers me: putting stuff in that
you know will be disregarded with impunity is not good.

Mike, listening to Ken Burns' Prohibition in the background