Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
Hannes Tschofenig <hannes.tschofenig@nsn.com> Thu, 28 October 2010 11:02 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF4693A67E1 for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 04:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.463
X-Spam-Level:
X-Spam-Status: No, score=-102.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kH1ZlVgswmDb for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 04:02:54 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id 776083A683C for <oauth@ietf.org>; Thu, 28 Oct 2010 04:02:53 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o9SB4gXU027011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Oct 2010 13:04:42 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o9SB4ght017382; Thu, 28 Oct 2010 13:04:42 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 28 Oct 2010 13:04:42 +0200
Received: from 10.144.244.103 ([10.144.244.103]) by FIESEXC015.nsn-intra.net ([10.159.0.28]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Thu, 28 Oct 2010 11:04:41 +0000
User-Agent: Microsoft-Entourage/12.27.0.100910
Date: Thu, 28 Oct 2010 14:04:35 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: "ext Freeman, Tim" <tim.freeman@hp.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <C8EF3373.2679%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
Thread-Index: AQHLazd3pTJ/WW6MjUa2saVGmJKCG5NVNKoA///jsGCAAAIRoIABLvUp
In-Reply-To: <59DD1BA8FD3C0F4C90771C18F2B5B53A653ACE4C0B@GVW0432EXB.americas.hpqcorp.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 28 Oct 2010 11:04:42.0144 (UTC) FILETIME=[EBF73A00:01CB768F]
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 11:02:56 -0000
Hey Tim, Earlier this year we had discussions around use cases but they did not lead to more insight. There is a document in the draft repository that talks about use cases, namely http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/ But it had never gotten a lot of attention on the list. (I don't know why.) Efforts to reach out to the Kantara UMA group for more sophisticated uses cases that motivate some security mechanisms have not produced anything either. (I believe the reason was that the scenarios focused on the user-experience aspect rather than on security differences.) If you look at the draft that Blaine and I put together recently (see http://datatracker.ietf.org/doc/draft-tschofenig-oauth-signature-thoughts/ ) then you will notice that from a security point of view there is very little difference between using message signing on the HTTP layer and using TLS with respect to a certain class of security threats. In our recommendation we actually suggest to recommend to go for the HTTP layer security because we are worried that ***operational*** aspects will go wrong in deployments. While I was convinced initially that looking at the use cases will get us further on the security questions it actually does not. Ciao Hannes PS: Btw, your feedback on the security draft would be of interest to us. On 10/27/10 9:09 PM, "ext Freeman, Tim" <tim.freeman@hp.com> wrote: > On the face of it, it seems that discussion of whether and how to split the > document has derailed collection of use cases. If we had consensus on a list > of use cases, that would mean we have identified the problems we're trying to > solve. This would still allow slimy political manipulation of the process by > manipulating the use case list, but that would be progress. It's better to > have a protocol that solves a politically-defined set of problems than to have > a politically-defined protocol that solves no identified problem.
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Hannes Tschofenig
- [OAUTH-WG] Call for Consensus on Document Split Blaine Cook
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Mike Jones
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Manger, James H
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Eran Hammer-Lahav
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Manger, James H
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Eran Hammer-Lahav
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Brian Eaton
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Marius Scurtescu
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Eran Hammer-Lahav
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Blaine Cook
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Mike Jones
- [OAUTH-WG] So back to use cases? (was RE: Call fo… Freeman, Tim
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… William Mills
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… Skylar Woodward
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… George Fletcher
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… Hannes Tschofenig
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… Eve Maler
- Re: [OAUTH-WG] So back to use cases? (was RE: Cal… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Eran Hammer-Lahav
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Manger, James H
- Re: [OAUTH-WG] Call for Consensus on Document Spl… Eran Hammer-Lahav