Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
Justin Richer <jricher@mitre.org> Fri, 31 May 2013 19:41 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D93421F8EAE for <oauth@ietfa.amsl.com>; Fri, 31 May 2013 12:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.132
X-Spam-Level:
X-Spam-Status: No, score=-5.132 tagged_above=-999 required=5 tests=[AWL=0.866, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MmmfVe2Kg12 for <oauth@ietfa.amsl.com>; Fri, 31 May 2013 12:41:05 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C440B21F8E8F for <oauth@ietf.org>; Fri, 31 May 2013 12:41:04 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4C2492A50051; Fri, 31 May 2013 15:41:04 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 20BB82A5004E; Fri, 31 May 2013 15:41:04 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 31 May 2013 15:41:03 -0400
Message-ID: <51A8FCA6.9050109@mitre.org>
Date: Fri, 31 May 2013 15:40:22 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <B33BFB58CCC8BE49989! 58016839DE27E08F977D8@IMCMBX01.MITRE.ORG> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <51A8B9C4.8020200! @mitre.org> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <51A8D123.3090103@mit! re.org> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <51A8E4B2.1! ! ! 030309@mitre.org> <75 C87F6C-4388-482C-ABE9-216FB63FE926@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com>
In-Reply-To: <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com>
Content-Type: multipart/alternative; boundary="------------040603040705080608040007"
X-Originating-IP: [129.83.31.56]
Cc: Donald F Coffin <donald.coffin@reminetworks.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 19:41:11 -0000
I feel the need to clarify a couple erroneous things in Phil's statement: * To be clear, Draft 11 has the same Registration Access Token system that has been in place since draft 01, it is not inventing something new at the last minute as could be inferred from the statement below. * DynReg is using an absolutely standard OAuth 2 Bearer token as the Registration Access Token, it's just not coming from a Token Endpoint. However, since an OAuth Protected Resource doesn't care where its tokens come from so long as it can validate them, I don't see this as a problem -- this is a key point where Phil and I disagree. -- Justin On 05/31/2013 03:33 PM, Phil Hunt wrote: > Don, > > I am not proposing any change in meaning. If registration acces token > issues by normal token server with scope registration everything is > clear as it is for any other protected API. Draft 11 invents a whole > new system. I strongly disagree with this. > > Phil > > On 2013-05-31, at 15:16, Donald F Coffin > <donald.coffin@reminetworks.com > <mailto:donald.coffin@reminetworks.com>> wrote: > >> For something that was agreed to be parked a few hours ago, there >> sure seems to still be a lot of circular discussion. Should we ask a >> mediator to intervene? >> >> FWIW I believe that is a significantly strong reason to differentiate >> an access token that can access the registration information without >> having the ability to access protected data. Especially given the >> implied strength of the “client credential” obtained access token. I >> have found it extremely confusing to users when explaining the >> difference between an access token obtained thorough an authorization >> code flow and a client credential flow, simply because they are both >> called an “access token”. Changing the meaning of an access token >> obtained through the client credential flow to mean it has the >> ability to update a registration, when a user may not want it to have >> access to protected data will only increase both the complexity of >> the access tokens as well as make their usage harder to explain to >> non-technical individuals who have to understand the differences >> between the access tokens obtained through the various flows. >> >> Just my two cents. >> >> Best regards, >> >> Don >> >> Donald F. Coffin >> >> Founder/CTO >> >> REMI Networks >> >> 22751 El Prado Suite 6216 >> >> Rancho Santa Margarita, CA 92688-3836 >> >> Phone: (949) 636-8571 >> >> Email: donald.coffin@reminetworks.com >> <mailto:donald.coffin@reminetworks.com> >> >> *From:*Phil Hunt [mailto:phil.hunt@oracle.com] >> *Sent:* Friday, May 31, 2013 11:11 AM >> *To:* Justin Richer >> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> WG >> *Subject:* Re: [OAUTH-WG] review comments on >> draft-ietf-oauth-dyn-reg-11.txt >> >> To be clear. >> >> It is two separate issues. >> >> 1. Anonymous clients can easily be handled through policy config. >> >> 2. Support for implicit clients needs to be discussed. The current >> proposal creates large negative value for the service provider and >> most would never allow in current form. Yes it gives each execution >> instance a new id, but that isnt what sp's want. It is a huge attack >> and management headache. Eliminate or propose a different solution. >> >> Phil >> >> >> On 2013-05-31, at 13:58, Justin Richer <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >> I'm not willing to write out an entire class of clients from this >> spec, especially when we have stated use cases for them doing >> dynamic registration. >> >> I'm sorry, but your proposed solution will simply not work. >> >> -- Justin >> >> On 05/31/2013 01:56 PM, Phil Hunt wrote: >> >> Well the only client that wouldn't have a credential is an >> implicit client. An implicit client is transient and so would >> never update. >> >> Besides, as i have stated, implicit clients should not use >> dyn reg. >> >> >> Phil >> >> >> On 2013-05-31, at 13:41, Justin Richer <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >> But the outstanding question is: how do you get the >> access token to access the created resource (IE: the >> Registration Access Token)? You can't use the >> client_credentials flow for a client with no credentials! >> >> -- Justin >> >> On 05/31/2013 12:58 PM, Phil Hunt wrote: >> >> Yes. I specified the trivial solution to anonymous >> clients earlier. >> >> Even simpler. You don't need an access token to >> create a new resource. You just need one to access >> one. That is just basic security config. >> >> >> Phil >> >> >> On 2013-05-31, at 12:34, Justin Richer >> <jricher@mitre.org <mailto:jricher@mitre.org>> wrote: >> >> I agree that we are going in circles, since I >> just was going to bring up my counter argument of >> "what about clients with no credentials?" again, >> which *still* isn't addressed by what you suggest >> doing, below. I also believe that getting rid of >> the Registration Access Token but using some >> other token method would actually make the spec >> larger, though I'd be glad to review a concrete >> counter-proposal if you'd like to write one. And >> the fact that OIDC is doing it this way, and >> considered but rejected the way that you're >> describing, should say something to the WG here >> about whether or not this is the right choice. >> Rough consensus and running code, after all. >> >> Regardless, I agree to park this issue and leave >> the text as is. We'll move to the next draft in >> the last call process shortly, as I have a >> handful of non-normative editorial changes that I >> need to make, thanks to feedback from a few folks. >> >> Again, thanks for your thorough review, Phil, and >> I look forward to future feedback. >> >> -- Justin >> >> On 05/31/2013 12:28 PM, Phil Hunt wrote: >> >> I disagree. >> >> There is absolutely no need for a >> registration access token. >> >> Get rid of it and just use access tokens as >> per 6749. If you can't follow 6749 and need >> new issuing methods, what are others to say >> regarding inventing new methods? >> >> I have not heard a good reason for the >> special process or one good enough to warrant >> a new method for issuing an access token. >> Does the broader group realize this is what >> the spec says? >> >> Yes, i heard a lot saying OIDC does it this >> way. But that is a political reason, not a >> technical reason. Still, compatibility is >> always a strong objective. Even so, oidc >> could keep using their method just fine. >> There is no obligation here to do the same. >> >> The only reason so far was expiry of client >> creds. Well, why not require the client to >> update prior to expiry? It makes no sense to >> have another token with longer expiry. >> B'sides, even expired the client can >> re-register from scratch. >> >> Why force the client to persist multiple >> tokens and creds? That is far far too complex. >> >> Finally if you get rid of registration access >> token the spec size will drop roughly in half >> IMO. This suggests simplicity to me. >> >> Apologies for my rant. Maybe we should park >> this for now. We are going in circles. >> >> Phil >> >> >> On 2013-05-31, at 11:25, Justin Richer >> <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >> Phil, >> >> We *can* keep it straight just fine, but >> I just need you to be clear about which >> part you're objecting to because the >> answers are different. Please use the >> terms as defined in the document so that >> we all know which component we're talking >> about. I'm sure you'd agree than in >> specification work such as this, >> precision of language and labels is key >> for communication between parties. This >> is precisely why there's a Terminology >> section right up front, so that when I >> say "Registration Access Token" you can >> know that I mean a very specific thing, >> and when I say "Initial Registration >> Token" I mean a very different specific >> thing. So I'm asking you, please, use the >> defined terms so that we can avoid this >> unnecessary confusion. >> >> But anyway, what you're talking about >> below, "the token the client uses to >> update is profile" *IS* the Registration >> Access Token. That's all that that token >> is used for. You're not asking for it to >> go away, you're asking for it to come >> from the Token Endpoint instead of the >> response from the Registration Endpoint. >> I don't see how the client *can* get it >> from the normal token process without >> jumping through specialized hoops to make >> that happen. I've implemented the draft >> the way that it is right now, both client >> and server side, and it works. Others >> have implemented it, too. We've done >> interop testing, and it works. This is a >> proven pattern and from where I sit there >> is both rough consensus and running code. >> >> I believe that I've already pointed out >> how the solutions you've proposed so far >> won't work in practice, for various >> reasons, many of which have already been >> brought up and discussed previously. If >> you have another way for the client to >> get its Registration Access Token, please >> propose it; but I haven't seen anything >> yet that will fly. >> >> -- Justin >> >> On 05/31/2013 11:10 AM, Phil Hunt wrote: >> >> Justin, >> >> This is my primary objection! We >> can't keep it straight. Their should >> be no such thing as a registrstion >> access token! Just the token the >> client obtains to update its profile >> through the normal token request >> process. >> >> Phil >> >> >> On 2013-05-31, at 10:55, Justin >> Richer <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >> Which token are you referring to >> here? >> >> If it's the Initial Registration >> Token, then you could get that >> through the normal token server >> no problem. (The lifecycle >> writeups don't call this out >> explicitly but I would be willing >> to do so.) Or you could get it >> elsewhere. Doesn't matter, just >> like it doesn't matter with any >> other OAuth2 protected resource. >> >> If it's the Registration Access >> Token, then having the token come >> from the token endpoint would >> require a lot more work and >> complexity on behalf of both of >> the client and server. Either you >> end up with public clients >> getting secrets they shouldn't >> need or with granting clients >> access to the client_credentials >> flow when they shouldn't actually >> have it. Plus it adds extra round >> trips which don't buy you anything. >> >> -- Justin >> >> On 05/31/2013 10:15 AM, Phil Hunt >> wrote: >> >> The preference is to have the >> access token for registration >> issued by the normal token >> server rather then by the >> registration endpoint. >> >> In the current draft it is >> obtained through a unique >> process and must outlive the >> client. >> >> >> Phil >> >> >> On 2013-05-30, at 19:47, >> "Richer, Justin P." >> <jricher@mitre.org >> <mailto:jricher@mitre.org>> >> wrote: >> >> I don't understand any of >> the comments below -- it >> already *is* an OAuth2 >> protected resource >> without any special >> handling. Your access >> tokens can be >> short-lived, long-lived, >> federated, structured, >> random blobs ... totally >> doesn't matter. They are >> access tokens being used >> to access a normal >> protected resource. Full >> stop. >> >> Anything else is out of >> scope. The lifecycle >> discussions at the >> beginning are merely >> examples of some ways you >> *could* use it and are >> non-normative and >> non-exhaustive. >> >> You seem to be asking for >> something that's already >> in the draft. >> >> -- Justin >> >> ------------------------------------------------------------------------ >> >> *From:*Phil Hunt >> [phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com>] >> *Sent:* Thursday, May 30, >> 2013 7:31 PM >> *To:* Richer, Justin P. >> *Cc:* John Bradley; >> oauth@ietf.org >> <mailto:oauth@ietf.org> WG >> *Subject:* Re: [OAUTH-WG] >> review comments on >> draft-ietf-oauth-dyn-reg-11.txt >> >> >> >> Phil >> >> >> On 2013-05-30, at 16:11, >> "Richer, Justin P." >> <jricher@mitre.org >> <mailto:jricher@mitre.org>> >> wrote: >> >> Comments inline, >> marked by [JR]. >> >> ------------------------------------------------------------------------ >> >> *From:*Phil Hunt >> [phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com>] >> *Sent:* Thursday, May >> 30, 2013 5:25 PM >> *To:* Richer, Justin P. >> *Cc:* John Bradley; >> oauth@ietf.org >> <mailto:oauth@ietf.org> >> WG >> *Subject:* Re: >> [OAUTH-WG] review >> comments on >> draft-ietf-oauth-dyn-reg-11.txt >> >> See below. >> >> Phil >> >> @independentid >> >> www.independentid.com >> <http://www.independentid.com> >> >> phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com> >> >> On 2013-05-30, at >> 2:09 PM, Justin >> Richer wrote: >> >> >> >> OK, I think see part >> of the hang up. I >> have not seen the >> scenario that you >> describe, where you >> trade a 3rd party >> token for a "local" >> token. I have seen >> where access tokens >> are federated >> directly at the PR. >> (Introspection lets >> you do some good >> things with that >> pattern.) >>
- [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-1… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- [OAUTH-WG] review comments on draft-ietf-oauth-dy… Torsten Lodderstedt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Torsten Lodderstedt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… George Fletcher
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Donald F Coffin
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Donald F Coffin
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Tim Bray
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Manger, James H
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Tim Bray
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Manger, James H
- [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer to… Manger, James H
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tim Bray
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Manger, James H
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer