Re: [OAUTH-WG] why are we signing?
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 30 November 2009 20:28 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B32D3A697E for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 12:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIro-r3KY8xN for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 12:28:38 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 2D9B33A6979 for <oauth@ietf.org>; Mon, 30 Nov 2009 12:28:38 -0800 (PST)
Received: (qmail 22643 invoked from network); 30 Nov 2009 20:28:29 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 30 Nov 2009 20:28:29 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 30 Nov 2009 13:27:22 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, ext Dick Hardt <Dick.Hardt@microsoft.com>
Date: Mon, 30 Nov 2009 13:27:26 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5EuVfSAgAED2ACAAt81AIAAASmAgABrE4CAAH1JAIABBIUAgACcJwCAAAx/gIAa2A2A//97K4CAAA8m8A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com><35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net><daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com><4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de><daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 20:28:39 -0000
OAuth is being proposed as a generally useful method for securing API calls. I expect many open source libraries to implement it on the server side and use it for blog plugins, widgets, and other highly distributed software. If OAuth required the use of TLS, it would simply be ignored by all those applications which will likely continue using Basic. With all due respect to big companies, their resources, and ability to effortlessly deploy SSL/TLS, it is still an expensive and complex process for more developers deploying small scale server components. EHL > -----Original Message----- > From: Tschofenig, Hannes (NSN - FI/Espoo) > [mailto:hannes.tschofenig@nsn.com] > Sent: Monday, November 30, 2009 11:23 AM > To: ext Dick Hardt; Eran Hammer-Lahav > Cc: oauth@ietf.org > Subject: RE: [OAUTH-WG] why are we signing? > > I would also like to hear about the cases where TLS is not suitable. > > Hannes > > >-----Original Message----- > >From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > >Of ext Dick Hardt > >Sent: 30 November, 2009 21:18 > >To: Eran Hammer-Lahav > >Cc: oauth@ietf.org > >Subject: Re: [OAUTH-WG] why are we signing? > > > > > >On 2009-11-13, at 7:21 AM, Eran Hammer-Lahav wrote: > >> > >> I for one, see great value in offering some form of > >crypto-based security for cases where TLS is not suitable. > > > > > >Are these use cases enumerated somewhere? > > > >(Apologies for coming into the conversation late) > > > >_______________________________________________ > >OAuth mailing list > >OAuth@ietf.org > >https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)