IETF Logo Mail Archive

Re: [OAUTH-WG] draft-15 editorials

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 07 April 2011 03:13 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31EDF3A6784 for <oauth@core3.amsl.com>; Wed, 6 Apr 2011 20:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.833
X-Spam-Level:
X-Spam-Status: No, score=-0.833 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-6ZjP0Q6qE8 for <oauth@core3.amsl.com>; Wed, 6 Apr 2011 20:13:45 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by core3.amsl.com (Postfix) with ESMTP id 32D9A3A681C for <oauth@ietf.org>; Wed, 6 Apr 2011 20:13:43 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.63,314,1299416400"; d="scan'208,217"; a="31700741"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipocvi.tcif.telstra.com.au with ESMTP; 07 Apr 2011 13:15:26 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6308"; a="23222190"
Received: from wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) by ipcavi.tcif.telstra.com.au with ESMTP; 07 Apr 2011 13:15:27 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) with mapi; Thu, 7 Apr 2011 13:15:26 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Paul Madsen <paul.madsen@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 07 Apr 2011 13:15:23 +1000
Thread-Topic: [OAUTH-WG] draft-15 editorials
Thread-Index: Acv0bXKSFkj7XrrhT52Zzjt7Es6WhQAS+GLA
Message-ID: <255B9BB34FB7D647A506DC292726F6E11281C39962@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11281BA9188@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B1680429673943252CE4F8@TK5EX14MBXC203.redmond.corp.microsoft.com> <4D9C47A8.30605@gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234465664DF8F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D9C836C.9080704@gmail.com>
In-Reply-To: <4D9C836C.9080704@gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E11281C39962WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-15 editorials
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 03:13:51 -0000

Paul,



The draft-15.1 abstract is just the first sentence of the abstract I suggested last month [http://www.ietf.org/mail-archive/web/oauth/current/msg05693.html and below]. The rest covered OAuth's other major aspect: issuing temporary credentials that resource servers can handle, while a separate service can handle permanent or exotic credentials (eg assertions). Does it fit what you were after?



Your "directly negotiate access" phrase hints that there is more to OAuth 2 than delegation, but I'm not sure that it explains it.



--

James Manger



From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Paul Madsen
Sent: Thursday, 7 April 2011 1:15 AM
To: Eran Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-15 editorials



Proposed text

The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of an end-user by orchestrating an approval interaction between the end-user and the HTTP service, or by allowing the third-party application to directly 'negotiate', on its own behalf, such access with the HTTP service.

And I acknowledge the concerns that 'negotiate' might create, thus the air quotes ....

paul







From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Manger, James H
Sent: Thursday, 17 March 2011 1:40 PM
To: OAuth WG
Subject: [OAUTH-WG] OAuth2 abstract



Comments on draft-ietf-oauth-v2-13:



1. Abstract

The 1-line abstract is not helpful - it merely repeats the title. The abstract is important as it is the text most widely seem around the rest of the IETF community (eg in announcements of drafts and RFCs) and beyond. It needs to mention: users delegating access to applications; applications orchestrating that delegation; swapping permanent credentials for short-lived access tokens; and that it uses HTTP. Here is my suggestion:



  "The OAuth 2.0 authorization protocol allows an application to gain
  limited permission to access an HTTP service on behalf of a user by
  orchestrating an approval interaction between the user and the service.
  OAuth 2.0 uses temporary credentials, issued by an HTTP service either
  directly to an application or to represent user-delegated permissions.
  A collection of HTTP services can accept temporary credentials without
  needing to handle long-term user or application credentials, which
  can be restricted to a secure service that issues the temporary
  credentials."



I think this text can be understood without knowing any of the specialised terms introduced later in the specification.





--

James Manger

v2.23.0 | Report a Bug | By Email