Re: [OAUTH-WG] Mandatory-to-implement token type

Michael Thomas <mike@mtcc.com> Fri, 02 December 2011 01:35 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8332811E808A for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 17:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R15qDpI8UV2V for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 17:35:44 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id A736F11E8081 for <oauth@ietf.org>; Thu, 1 Dec 2011 17:35:44 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pB21ZdIw001248 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 1 Dec 2011 17:35:39 -0800
Message-ID: <4ED82B6B.6050301@mtcc.com>
Date: Thu, 01 Dec 2011 17:35:39 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com> <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie>
In-Reply-To: <4ED8288E.90101@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1096; t=1322789740; x=1323653740; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory-to-implement=20t oken=20type |Sender:=20 |To:=20Stephen=20Farrell=20<stephen.farrell@cs.tcd.ie> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=qDLJPH6Sf6S8AZmrwIhhLFqHxuwgA31LYQDjWyNG+3o=; b=uVGzfI6UaX/hZFDgnM06QlI3cY8prSzZPt6UdHHOhh1nz9w6Jovu2ZM2dW B9qmqzYfCZDej13yg2MyzKO868Kys2yXJLbO6JlBo/Uz1UGvyXE1IFqV4ccO TH3dgYwWAvtJY8+omJPr9ikAF95Ko3hqHtbsINoi1mn9mFY6k6JdA=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 01:35:45 -0000

On 12/01/2011 05:23 PM, Stephen Farrell wrote:
>> E.g. MAC tokens work well for non-TLS protected resources.  Bearer tokens in contrast are easier to use, but require TLS protected service to avoid theft-of-credential.
>
> So picking is a nuisance sure. But it helps interop.

This smacks of truth by blatant assertion. If something is required to
be implemented but is unused -- which will happen if the profile
chosen by the SDK doesn't need the required one -- you're not going
to get better interoperability, you're just going to get untested code.

I don't see what the big deal is about saying that discovery, etc, is
for a -bis release of this PS. That would take care of your problem of
reaching back into this PS to change just this part. And what are the
chances of not having a recycle anyway with any well-deployed PS?
Zero?

  |We disagree about that I guess. To me it seems a peculiar way to go
  |unless one assumes that coders write code that's specific to a specific
  |service provider.

But that is exactly what's happening in the field.

Mike


Mike