Re: [oauth] Comment on charter
Blaine Cook <romeda@gmail.com> Sun, 08 February 2009 13:59 UTC
Return-Path: <romeda@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60CDF3A6A7C for <oauth@core3.amsl.com>; Sun, 8 Feb 2009 05:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izDfb0jfxNnr for <oauth@core3.amsl.com>; Sun, 8 Feb 2009 05:59:13 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by core3.amsl.com (Postfix) with ESMTP id 068393A6A65 for <oauth@ietf.org>; Sun, 8 Feb 2009 05:59:12 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 25so293995eya.31 for <oauth@ietf.org>; Sun, 08 Feb 2009 05:59:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=F5/yHXNuaNET0yqNS2CtVVHuE0NrDF+DW8gfJu12Hww=; b=XIkDIII5kSu7CSFeW9W6jSCTcb+W4YJC21Vs1D6j/1TKhDvAlhknJrHgx192ejUv+O 9lCmA08447vmUbRzURrLwoFn3SbN3+slMTszGrurhlIYjlHef+ILQH0XzX5fLiHYSI4o KzgiDgsfN6n2eky5mmxQepvuo72QlORtn4ctA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=YFrW2xaoFBn3UvAYNsQHrktI3DZ5NTa6q6sjejdp4NiNAfVrRQKIIFjXu4rJi7jJ1k s63P2c1fLrAWhzmWbtw15tmULZ3L61fP3NRmCa6TYl+siYIv+1zN9RYtGi1+SVhJiH23 GZj8y0sSJOTmM0HlH0YNFUiN01W6xVv9KnmO8=
MIME-Version: 1.0
Received: by 10.210.120.7 with SMTP id s7mr3037286ebc.78.1234101555496; Sun, 08 Feb 2009 05:59:15 -0800 (PST)
In-Reply-To: <ca722a9e0902061104l3314073bvc6f3e27863e8779d@mail.gmail.com>
References: <ca722a9e0902061104l3314073bvc6f3e27863e8779d@mail.gmail.com>
Date: Sun, 08 Feb 2009 14:59:15 +0100
Message-ID: <d37b4b430902080559g25e2b3dbp70a8c677edf742b5@mail.gmail.com>
From: Blaine Cook <romeda@gmail.com>
To: Lisa Dusseault <lisa.dusseault@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: gregory.ietf@gmail.com, oauth@ietf.org
Subject: Re: [oauth] Comment on charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2009 13:59:14 -0000
On Fri, Feb 6, 2009 at 8:04 PM, Lisa Dusseault <lisa.dusseault@gmail.com> wrote: > * Assure good security practice, or document gaps in its > capabilities > > ... > > Change second bullet to: > "* Assure good security practice, or document gaps in its > capabilities, and propose a path forward for addressing the gap." > > ... We are learning over time > that (1) documenting security gaps, combined with (2) a clear path to > addressing gaps, and (3) work in progress to addressing gaps goes a long > way to making less-than-best-security-practice specifications more > acceptable. > > I.e. The charter change I propose is geared toward helping Oauth see the > light of day more quickly, and have an incremental path toward > best-practice security. I fully agree. My approach to security, and I think this is true for others involved with OAuth, is to strive for the best security that will actually work. That is to say that if OAuth wasn't adopted because the security introduced a too-high barrier to adoption, then the reality is that everyone has less security overall since they're using Basic auth or whatever other (less secure) alternative. By pushing forward OAuth, we've educated people and informed discussions around security, enabling people to think about even better approaches, and as those conversations mature, we (as the web community in general) should absolutely be active in ensuring that we offer the best usable solutions possible. b.
- Re: [oauth] Comment on charter Tschofenig, Hannes (NSN - FI/Espoo)
- [oauth] Comment on charter Lisa Dusseault
- Re: [oauth] Comment on charter Blaine Cook