Re: [OAUTH-WG] OMA Liaison Has Arrived!

Barry Leiba <> Wed, 24 August 2011 12:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7324121F8785 for <>; Wed, 24 Aug 2011 05:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.031
X-Spam-Status: No, score=-103.031 tagged_above=-999 required=5 tests=[AWL=-0.054, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9OvQdqTV7YAD for <>; Wed, 24 Aug 2011 05:31:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C382121F8569 for <>; Wed, 24 Aug 2011 05:31:15 -0700 (PDT)
Received: by yie12 with SMTP id 12so983394yie.31 for <>; Wed, 24 Aug 2011 05:32:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Q+t/T/fuIogkZj/x2ZsJ5QolA3TYHKsx4WY+WAcJ1UU=; b=egGbchYtz/3HamxmhMHURs4CRxiyHL2QdalEdx1et1Q/2hgBLZE/ZCXewyjIiP6J6+ 6e+BeKkl8P7b10du2CEMoJqx2+fjd8OJAndWk5900scHQH54qRSZ7S04YamEggKCVcXu F0Ur0vyO6uK2qoS2xGmSvXvHBgMnyyFhB1Zq8=
MIME-Version: 1.0
Received: by with SMTP id x16mr5126645yax.29.1314189145985; Wed, 24 Aug 2011 05:32:25 -0700 (PDT)
Received: by with HTTP; Wed, 24 Aug 2011 05:32:25 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Wed, 24 Aug 2011 08:32:25 -0400
X-Google-Sender-Auth: CNSJVwZkhETU4eNBSrWpAnS1gV0
Message-ID: <>
From: Barry Leiba <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] OMA Liaison Has Arrived!
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Aug 2011 12:31:16 -0000

On Mon, Aug 22, 2011 at 1:53 PM, Barry Leiba <> wrote:
> I intend to add the following to the response to this item:
> "The working group understands that client code needs to know whether
> to use and decode percent-encoding.  The issue is being discussed and
> tracked, and will be resolved before the final version of the bearer
> document is produced."

For confirmation: Murray Kucherawy, our liaison to OMA, delivered our
response yesterday (Tuesday, 23 August), and OMA has acknowledged it.
They thank us for our prompt response.

Barry, as chair

> -----------------------------------------------------------------
> The IETF OAuth working group thanks OMA ARC SEC for the liaison
> statement titled "OAuth discovery and specification availability",
> dated 18 July 2011.
> The OMA liaison statement asks the OAuth working group to address five
> issues, and our answers are as follows:
> •       Availability of the IETF OAuth specifications: especially
> [draft-ietf-oauth-v2] and [draft-ietf-oauth-v2-bearer], and also
> [draft-hammer-oauth-v2-mac-token],
> [draft-lodderstedt-oauth-revocation] and [draft-recordon-oauth-v2-ux].
> Answer:
> The IETF cannot guarantee publication dates, but we can give some
> best-guess timeframes.  At this writing, draft-ietf-oauth-v2 and
> draft-ietf-oauth-v2-bearer have completed Working Group last call and
> are undergoing their final revisions before being sent to the IESG.
> We expect the final versions of those documents to be in the RFC
> Editor queue around the end of September, though it could be later if
> issues come up in IETF-wide last call or during IESG evaluation.  The
> draft-hammer-oauth-v2-mac-token document has been replaced by
> draft-ietf-oauth-v2-http-mac, which is a working group document.  It
> is likely to be in the RFC Editor queue by the end of the year.
> The remaining two documents are not working group documents, and the
> working group can say nothing about their status.  The OAuth working
> group intends to revise its charter in the November timeframe, and
> it's possible that one or both of those documents could be adopted by
> the working group at that time, and we could have further information
> about target publication dates then.
> •       Availability of the OAuth Parameters Registry
> Answer:
> The draft-ietf-oauth-v2 document establishes the OAuth Parameters
> Registry (in section 11.2, as of draft version 20).  The registry will
> be available when the RFC is published, which will be some time after
> the document goes into the RFC Editor queue, depending upon the RFC
> Editor's load at the time.
> •       IETF intent to specify an OAuth Discovery mechanism
> Answer:
> There is interest among OAuth working group participants for
> specifying such a mechanism, but the work is not in the current
> charter.  It will likely be considered during the aforementioned
> charter update in (approximately) November.
> •       Considerations that can help implementors decide about the type of
> OAuth access token to deploy.
> Answer:
> There is no current work planned, but documents with such
> implementation advice might also be considered during the rechartering
> discussion.
> •       For bearer tokens: clarification whether the non-support of percent
> encoding for scope-v element of WWW-Authenticate Response Header Field
> grammar is intentional.
> Answer:
> In the bearer token document (Section 2.4 of
> draft-ietf-oauth-v2-bearer-08, "The WWW-Authenticate Response Header
> Field"), the "scope-v" element is unambiguously defined to allow a
> specific set of characters.  That set of characters does permit, but
> does not mandate, support for percent-encoding of characters.
> -----------------------------------------------------------------