IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth WRAP

"Paul C. Bryan" <email@pbryan.net> Tue, 10 November 2009 21:40 UTC

Return-Path: <email@pbryan.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEF8B3A6B2A for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:40:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cotDvo6T9Yz for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:40:04 -0800 (PST)
Received: from maple.anode.ca (maple.anode.ca [72.14.183.184]) by core3.amsl.com (Postfix) with ESMTP id C69C13A6A2A for <oauth@ietf.org>; Tue, 10 Nov 2009 13:40:04 -0800 (PST)
Received: from [192.168.0.4] (S010600095baae0ff.vf.shawcable.net [174.1.50.199]) by maple.anode.ca (Postfix) with ESMTPSA id ED1F1EA022 for <oauth@ietf.org>; Tue, 10 Nov 2009 21:40:31 +0000 (UTC)
From: "Paul C. Bryan" <email@pbryan.net>
To: "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <C71F1827.28808%eran@hueniverse.com>
References: <C71F1827.28808%eran@hueniverse.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 10 Nov 2009 13:40:30 -0800
Message-Id: <1257889230.10242.53.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.1
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] OAuth WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 21:40:05 -0000

Hi Eran:

Thanks for your clarification.

It seems to me that without simple guidelines on what's reasonable to be
called "OAuth", anyone can propose a protocol that purports to be
related in some way to OAuth, at the expense of community confusion and
dilution of its meaning. Is there a way to mitigate this kind of
occurrence other than by simply dismissing it as noise?

Paul

On Tue, 2009-11-10 at 14:16 -0700, Eran Hammer-Lahav wrote:
> My 2c:
> 
> WRAP was developed out of necessity due to limitations in OAuth and
> product release schedule. Without going into too much detail about
> whether a whole new protocol was really necessary, the WRAP authors
> felt that it was, and that their timeline could not accommodate
> waiting for the OAUTH WG to accommodate their use cases in the new
> version of the spec. We now have a new and separate spec in the space.
> 
> I have encouraged the authors to submit their spec as input for the WG
> and to collaborate to make the upcoming WG spec cover their use case.
> The goal would be to render the separate WRAP spec unnecessary. How
> they or others would choose to apply this to their implementation is
> beyond my control or (TBH) interest.
> 
> Most of the innovative ideas in WRAP are around the delegation flow
> (and there are some good ideas in there). I plan to use some of that
> as the basis for the new delegation spec. On the authentication side,
> WRAP uses bearer token with no crypto which will be supported by the
> PLAIN flavor.
> 
> As for how to manage community expectations, the OAuth brand, etc.: I
> was opposed to putting WRAP under the OAuth brand (the entire effort
> started as “Simple OAuth”). Others felt that pretending WRAP was an
> OAuth profile (it is not) and naming it as such would be less
> confusing or less damaging to the OAuth brand (if you call it the same
> thing, there is no competition). I didn’t care enough to (continue)
> that argument given my view that by the time WRAP will get the wide
> attention OAuth has, this WG will produce stable drafts of the new
> OAuth and will make this irrelevant.
> 
> EHL
> 
> 
> 
> 
> On 11/10/09 11:56 AM, "Paul C. Bryan" <email@pbryan.net> wrote:
> 
>         I guess I must admit I'm a bit surprised that the general
>         consensus
>         would be to merge with/profile WRAP as OAuth, as the deltas
>         between the
>         two protocols as defined seems quite substantial. Does this
>         mean that
>         for all intents and purposes I should consider the existing
>         OAuth IETF
>         drafts to date to be deprecated in favour of WRAP?
>         
>         Paul
>         
>         On Tue, 2009-11-10 at 19:46 +0000, Dick Hardt wrote:
>         > Good question. Given the positive reception WRAP received at
>         IIW and 
>         > that capabilities in WRAP are expected to come out of the
>         work in the 
>         > IETF OAuth WG, there was consensus from the OAuth community
>         to include 
>         > WRAP as OAuth profiles.
>         >
>         > -- Dick
>         >
>         > On 2009-11-10, at 10:06 AM, "Paul C. Bryan"
>         <email@pbryan.net> wrote:
>         >
>         > > Hi Dick:
>         > >
>         > > Given that WRAP is so different from OAuth (as I know it),
>         other than
>         > > the fact that OAuth could be used to negotiate the
>         issuance of a WRAP
>         > > refresh token, I'm curious why you chose to associate this
>         with 
>         > > OAuth by
>         > > giving it an "OAuth" prefix. It seems to me that it would
>         only create
>         > > confusion in this space.
>         > >
>         > > Paul
>         > >
>         > > On Tue, 2009-11-10 at 17:52 +0000, Dick Hardt wrote:
>         > >> At IIW last week, myself, Biran Eaton from Google and
>         Allen Tom from
>         > >> Yahoo! presented what is now called OAuth WRAP
>         > >>
>         > >> The specs and discussion specific to those documents is
>         at:
>         > >>
>         > >>    http://groups.google.com/group/oauth-wrap-wg
>         > >>
>         > >> We plan to submit the document as an I-D next week when
>         I-D 
>         > >> submission
>         > >> is open again, and for further work to occur in the IETF
>         OAuth WG.
>         > >>
>         > >> -- Dick
>         > >> _______________________________________________
>         > >> OAuth mailing list
>         > >> OAuth@ietf.org
>         > >> https://www.ietf.org/mailman/listinfo/oauth
>         > >
>         > > _______________________________________________
>         > > OAuth mailing list
>         > > OAuth@ietf.org
>         > > https://www.ietf.org/mailman/listinfo/oauth
>         > >
>         
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org
>         https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email