IETF Logo Mail Archive

Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)

George Fletcher <gffletch@aol.com> Thu, 28 October 2010 02:00 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E9133A67AF for <oauth@core3.amsl.com>; Wed, 27 Oct 2010 19:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwbaA-50Lgh8 for <oauth@core3.amsl.com>; Wed, 27 Oct 2010 19:00:29 -0700 (PDT)
Received: from imr-ma05.mx.aol.com (imr-ma05.mx.aol.com [64.12.100.31]) by core3.amsl.com (Postfix) with ESMTP id 836EB3A67EC for <oauth@ietf.org>; Wed, 27 Oct 2010 19:00:29 -0700 (PDT)
Received: from mtaout-ma04.r1000.mx.aol.com (mtaout-ma04.r1000.mx.aol.com [172.29.41.4]) by imr-ma05.mx.aol.com (8.14.1/8.14.1) with ESMTP id o9S222Tr031195; Wed, 27 Oct 2010 22:02:02 -0400
Received: from palantir.local (unknown [10.172.3.91]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 37976E0000AC; Wed, 27 Oct 2010 22:01:56 -0400 (EDT)
Message-ID: <4CC8D993.1050503@aol.com>
Date: Wed, 27 Oct 2010 22:01:55 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.11) Gecko/20101013 Thunderbird/3.1.5
MIME-Version: 1.0
To: "Freeman, Tim" <tim.freeman@hp.com>
References: <AANLkTik30oVX+AevGCZDHajjyrDnEVB=fp6rAdihkPFz@mail.gmail.com> <C8EDE8E4.2517%hannes.tschofenig@nsn.com> <4E1F6AAD24975D4BA5B1680429673943245A1D1F@TK5EX14MBXC207.redmond.corp.microsoft.com> <59DD1BA8FD3C0F4C90771C18F2B5B53A653ACE4C0B@GVW0432EXB.americas.hpqcorp.net>
In-Reply-To: <59DD1BA8FD3C0F4C90771C18F2B5B53A653ACE4C0B@GVW0432EXB.americas.hpqcorp.net>
Content-Type: multipart/alternative; boundary="------------070609090909070308020708"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:514195968:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d29044cc8d9941a12
X-AOL-IP: 10.172.3.91
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 02:00:31 -0000

I'm not sure what you mean by signatures improving privacy? I don't see 
signature having much effect on privacy. Encryption is needed for that.

However, signatures do limit the scope of exposure should a token get 
exposed in some manner. In that sense a user is protected because a 
leaked token isn't usable accept by the party to which it was issued.

I also believe that signatures are orthogonal to the delegation use 
case. In other words, signatures don't prevent server A from getting a 
token and giving it to server B for server B to use with a protected 
resource.

Thanks,
George

On 10/27/10 2:09 PM, Freeman, Tim wrote:
> On the face of it, it seems that discussion of whether and how to split the document has derailed collection of use cases.  If we had consensus on a list of use cases, that would mean we have identified the problems we're trying to solve.  This would still allow slimy political manipulation of the process by manipulating the use case list, but that would be progress.  It's better to have a protocol that solves a politically-defined set of problems than to have a politically-defined protocol that solves no identified problem.
>
> It's also possible that such collection is going on via private email and I am not aware of it.
>
> The questions currently interesting to me about use cases are:
>
> * The only use cases that made sense to me about signatures used them for auditability, where they enabled blame to be properly placed after information leaked to the wrong people.  People were proposing use cases that claimed that signatures improved privacy, that is, the ability to keep the information out of the hands of the wrong people.  So far as I know all use cases where signatures improved privacy seemed to fall apart after a few minutes inspection.  Do we agree that signatures improve auditability but not privacy, or does someone still believe in a use case where signatures improve privacy?
>
> * Use cases that justify a feature seem to require two parts -- an example where the feature is absent and therefore a particular problem cannot be solved, and an example where the feature is present and the same problem can then be solved.  Last I checked the existing use case list seemed to only have the second type where problems were successfully solved and it was unclear to me that the proposed features were really required in order to do that.  Do we agree that justifying a feature requires both a use case where absence of the feature makes a problem unsolvable and presence of the feature makes the same problem solvable?  (Alternatives are to believe that there is some other way to justify having a feature, or to believe we should have features that do not have a clearly described technical justification.  Maybe the features are required by law, are esthetically pleasing, make use of the right patents and not the wrong ones, look impressive on one's resume, etc.)
>
> * The simplest signature schemes seem have the consequence of preventing server A from delegating work to server B, since the work must be done by making requests signed by server A.  Do we want to support use cases where one server delegates work to another server?  Do we want to do by allowing A's right to do certain things to be traded in for something that gives B the right to do some of those things, by bearer tokens, by some other means, or not at all?
>
> Tim Freeman
> Email:tim.freeman@hp.com
> Desk in Palo Alto: (650) 857-2581
> Home: (408) 774-1298
> Cell: (408) 348-7536
>
>
> -----Original Message-----
> From:oauth-bounces@ietf.org  [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Wednesday, October 27, 2010 9:57 AM
> To: Hannes Tschofenig; Blaine Cook;oauth@ietf.org
> Subject: Re: [OAUTH-WG] Call for Consensus on Document Split
>
> Thanks for your confidence in me.  I look forward to completing a specification that meets the industry needs.
>
> I plan to sync with Eran this week.  I also plan to hold a "listening tour" at IIW to understand stakeholders' perspectives on where we stand with OAuth 2.0 today and what remains to do finish it.  Please come talk to me at IIW if you're there and you're building or deploying OAuth 2.0 and want me to understand your views.  E-mail and phone calls are also welcome.
>
> Once I've synced with Eran and gathered input from stakeholders, I'll plan on announcing target dates for drafts.
>
>                  -- Mike
>
> -----Original Message-----
> From:oauth-bounces@ietf.org  [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, October 27, 2010 4:34 AM
> To: Blaine Cook;oauth@ietf.org
> Subject: Re: [OAUTH-WG] Call for Consensus on Document Split
>
> Hi all,
>
> based on the feedback from the group on the list we go forward with the document split.
>
> Mike had kindly offered to edit the bearer specification and we are happy to hear that. Thank you Mike. I am looking forward to see the first document.
>
> Ciao
> Hannes
>
> On 10/14/10 3:32 AM, "Blaine Cook"<romeda@gmail.com>  wrote:
>
>> Over the past few weeks, the working group debated the issues around
>> the introduction of signatures and the structure of the specification.
>> The working group seems to endorse the proposal to split the current
>> specification into two parts: one including section 5 (bearer token)
>> and the other including the rest (how to obtain a token), with an
>> additional specification covering signature use cases.
>>
>> This serves as a call for consensus on the proposed editorial work.
>> Before we proceed with the changes, the chairs would like to ask if
>> anyone has any concerns or objections against this proposal.
>>
>> In addition, the chairs are seeking a volunteer to take over the
>> bearer token specification (section 5) as editor.
>>
>> Please submit your comments by Wednesday, October 20th.
>>
>> - The OAuth Working Group Chairs
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email