Re: [OAUTH-WG] 2nd Call for Adoption: Authentication Method Reference Values

John Bradley <> Thu, 03 March 2016 17:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E30DA1B2B09 for <>; Thu, 3 Mar 2016 09:52:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vXBXHfQBf6-3 for <>; Thu, 3 Mar 2016 09:52:35 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 69D4F1B2B05 for <>; Thu, 3 Mar 2016 09:52:25 -0800 (PST)
Received: by with SMTP id u110so23170308qge.3 for <>; Thu, 03 Mar 2016 09:52:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=AKgPcGJT/7vWyErtNQM1Lb6zV6x3/x2KCY8F/ZlXHto=; b=VrYE/UVEoy3xhSmpR72/Lz+flareWc2d93Ja1chGsjVU1+R5l0RqKtW9bTTjUAVncJ 97ctHH85SZRhMfNUqlyO0q55ODlm3vAn1CiDye7ENeZ90X1Fxkke7geNyXdkhDXMKrTI akddnL/zx+vhkc9cesb1o2iwjmzeZSTyAL2WS/SYdIJjZBIni+hEAiz2vCCERs8hC1zl r/fpeZIxxU46vKXNziWqdsNfYBlmlkjtqhOE+OtofI5g+Ddiuy7yNRvL8TADI+mYWxvI uEiLVzWpq+nHT3AG6HPHattK08yzKEIaBlfbJGZK//KYQD8Lw6dK9Pnudb6KXsgI5w84 Bgmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=AKgPcGJT/7vWyErtNQM1Lb6zV6x3/x2KCY8F/ZlXHto=; b=MV7SAGGgZ+kxhTd++9tRSg4p/G0hOtFYGfFHjyI7xvcUVwDFcGD1JDCtKldAJOXNFo 5qP2G3lA3VV6PPCWNHigM16TV/iOdIeHUWWzGtCWaVbQ+ihNX013wFIF5u0RNw5dh7SK xg3oSGrzWWhosaogZPsGfG5nwk+AYoU06QPq4lY7LCUa67N/44pfhzxOqFqWT16NS9T+ MM4to+JM0PLe9Ofp3EimxgwT6pRWMA1vhuwHgcCaPKrAsJqGO+ZOJWHIPc9LNmmwR/83 rJzbppKbUUVqw+lRfSE3uduWN0MkGeON5a9IEckZ3MHK4oc8y8SrK5IUCMfYvUB9WdnJ BQMw==
X-Gm-Message-State: AD7BkJLpG2zEqgmGV7FbPYeyym8rNO1FAdRHtm2zXDeA8ycBgQjIvkvXAht6NoV7Q8gCOQ==
X-Received: by with SMTP id p9mr4990902qhp.50.1457027544498; Thu, 03 Mar 2016 09:52:24 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id u16sm17419819qka.22.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Mar 2016 09:52:23 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_1BC2F598-B068-4BC8-8843-941C27D7FC08"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Thu, 03 Mar 2016 14:52:17 -0300
Message-Id: <>
References: <> <>
To: Michael Schwartz <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Subject: Re: [OAUTH-WG] 2nd Call for Adoption: Authentication Method Reference Values
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Mar 2016 17:52:37 -0000

Mike if you subscribe to the mailing list your opinion counts towards consensus.   I am sure you are well aware that the IETF doesn’t vote in WG.

Do you object to the specific initial values in the registry or the notion of having a IANA registry for the values.

You are also free to contribute text to the authors or the WG if it is accepted as a work item.

The question at this point is if it should this draft be the starting point for a work item in the Working group.

We are a long way from approving a spec to go to the IESG for review.

John B.

> On Mar 3, 2016, at 1:57 PM, Mike Schwartz <> wrote:
> OAuth Guru's,
> I know you are all going to approve this AMR spec anyway, but I'd just like to dissent. I think this specification is useless, and potentially harmful.
> Just as an example--two domains that use "face" as the amr probably have totally different algorithms, sensitivities, training, and identity management processes that contribute to the significance of this value. So rather than interoperability, this standard just sets up domains for miscommunication.
> If it doesn't serve interoperabilty, what use case does this standard solve?
> I think a bad quick and dirty solution is worse than no solution at all. If I had a vote, I'd definitely vote against this one.
> - Mike
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> _______________________________________________
> OAuth mailing list