Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)

Hannes Tschofenig <> Thu, 28 October 2010 11:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF4693A67E1 for <>; Thu, 28 Oct 2010 04:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.463
X-Spam-Status: No, score=-102.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kH1ZlVgswmDb for <>; Thu, 28 Oct 2010 04:02:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 776083A683C for <>; Thu, 28 Oct 2010 04:02:53 -0700 (PDT)
Received: from ([]) by ( with ESMTP id o9SB4gXU027011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Oct 2010 13:04:42 +0200
Received: from ( []) by ( with ESMTP id o9SB4ght017382; Thu, 28 Oct 2010 13:04:42 +0200
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Thu, 28 Oct 2010 13:04:42 +0200
Received: from ([]) by ([]) via Exchange Front-End Server ([]) with Microsoft Exchange Server HTTP-DAV ; Thu, 28 Oct 2010 11:04:41 +0000
User-Agent: Microsoft-Entourage/
Date: Thu, 28 Oct 2010 14:04:35 +0300
From: Hannes Tschofenig <>
To: "ext Freeman, Tim" <>, "" <>
Message-ID: <>
Thread-Topic: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
Thread-Index: AQHLazd3pTJ/WW6MjUa2saVGmJKCG5NVNKoA///jsGCAAAIRoIABLvUp
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 28 Oct 2010 11:04:42.0144 (UTC) FILETIME=[EBF73A00:01CB768F]
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Oct 2010 11:02:56 -0000

Hey Tim, 

Earlier this year we had discussions around use cases but they did not lead
to more insight. 

There is a document in the draft repository that talks about use cases,
But it had never gotten a lot of attention on the list. (I don't know why.)

Efforts to reach out to the Kantara UMA group for more sophisticated uses
cases that motivate some security mechanisms have not produced anything
either. (I believe the reason was that the scenarios focused on the
user-experience aspect rather than on security differences.)

If you look at the draft that Blaine and I put together recently (see
) then you will notice that from a security point of view there is very
little difference between using message signing on the HTTP layer and using
TLS with respect to a certain class of security threats.

In our recommendation we actually suggest to  recommend to go for the HTTP
layer security because we are worried that ***operational*** aspects will go
wrong in deployments.

While I was convinced initially that looking at the use cases will get us
further on the security questions it actually does not.


PS: Btw, your feedback on the security draft would be of interest to us.

On 10/27/10 9:09 PM, "ext Freeman, Tim" <> wrote:

> On the face of it, it seems that discussion of whether and how to split the
> document has derailed collection of use cases.  If we had consensus on a list
> of use cases, that would mean we have identified the problems we're trying to
> solve.  This would still allow slimy political manipulation of the process by
> manipulating the use case list, but that would be progress.  It's better to
> have a protocol that solves a politically-defined set of problems than to have
> a politically-defined protocol that solves no identified problem.