Re: [OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Mon, 04 October 2010 18:41 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF7DB3A6E4A for <oauth@core3.amsl.com>; Mon, 4 Oct 2010 11:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.418
X-Spam-Level:
X-Spam-Status: No, score=-2.418 tagged_above=-999 required=5 tests=[AWL=0.181, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbQdH9dyLUQA for <oauth@core3.amsl.com>; Mon, 4 Oct 2010 11:41:03 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id 8CFEB3A7067 for <oauth@ietf.org>; Mon, 4 Oct 2010 11:40:42 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id o94Ifb6v018132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Oct 2010 13:41:37 -0500 (CDT)
Received: from [135.222.134.173] (faynberg-c1.mh.lucent.com [135.222.134.173]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o94IfYUW024357; Mon, 4 Oct 2010 13:41:34 -0500 (CDT)
Message-ID: <4CAA1FDE.50804@alcatel-lucent.com>
Date: Mon, 04 Oct 2010 14:41:34 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <AANLkTimERshG-ndU8_uc0NJhx6ree6d8kxYj=EVeHpmA@mail.gmail.com> <4CA20BFC.90704@aol.com> <5710F82C0E73B04FA559560098BF95B124FB233412@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4CA9FEAC.8090407@aol.com> <59DD1BA8FD3C0F4C90771C18F2B5B53A653964AD76@GVW0432EXB.americas.hpqcorp.net> <4CAA1CBB.80001@aol.com>
In-Reply-To: <4CAA1CBB.80001@aol.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: "Zeltsan, Zachary \(Zachary\)" <zachary.zeltsan@alcatel-lucent.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 18:41:05 -0000

YES!!!   (I wish I could have made this point myself as clear as George 
did.)

In fact, I think this ought to be a fundamental requirement for OAuth 
applicability within several domains, health services in particular.

Igor

George Fletcher wrote:
> ... The point of signatures is not to enable authorization but to 
> ensure that release of data only happens within the context that was 
> authorized by the user.
...