Re: [OAUTH-WG] Mandatory-to-implement token type
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 01 December 2011 21:25 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4F61F0C91 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 13:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN3BivCTYiq2 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 13:25:46 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id EAAA81F0C89 for <oauth@ietf.org>; Thu, 1 Dec 2011 13:25:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 592361541AF; Thu, 1 Dec 2011 21:25:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322774744; bh=PaEFVCpVz9tgvo V6vBZY9S8QCPaSjIaudMV0Vft+xPs=; b=E//G6WrJ9uWuypmdbpYxpxjnJlOj/G 5d3pzA+LCG3tlyqJd8hXru0gl5AJsk6+zaInRBxMdA/uT3BgKEoSh19dbJRCVs2o fK35L+nQW/yrUJnfh7rOEzAUhBaTMn1Wfqw/ZpEYK+ToSO8UCkVXoEa2YnqcoXyJ PgP/9TQvGadOtbLI05zB9r8F/Pfybx/VWN+2hW0pZ3x5w4xXg2Lpy1gZcTiZcgvm uXhKRyL9f7rK7AAapc8g2AD86c0+O/tRBZk2+PPU3r2RLxolRNYbNQtdL46AIKy/ MTbnxRfTsvj8YmIsMpq01rRjK45nePDuOWm7IKwydiFEDND3IzAP6bBg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id mnUZkONZ6cCE; Thu, 1 Dec 2011 21:25:44 +0000 (GMT)
Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id BB2BA153C7E; Thu, 1 Dec 2011 21:25:44 +0000 (GMT)
Message-ID: <4ED7F0D8.6010703@cs.tcd.ie>
Date: Thu, 01 Dec 2011 21:25:44 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com>
In-Reply-To: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2011 21:25:47 -0000
Barry, all, First, apologies for being so slow responding, various travels got in the way. I hope we can quickly resolve this now. Bit of process first: at the meeting we discussed this and at the end of that discussion, there were quite a few more folks for the "pick one" position. People who favour that outcome and really care about that need to speak up on the list, since the list consensus trumps the sense of the room in the chairs' evaluation of the WG consensus. Second, at the meeting I said that I'd like to see either MAC or bearer picked as MTI, and if not, that I want the draft to say why its ok to have no MTI token type. So the WG either need to pick one, or else explicitly and convincingly justify not picking one. That's the "firm" AD position to which Barry referred. (I didn't properly call out the "if not" part of that in my AD review, sorry.) My own argument for picking one is simple: if every relevant piece of code has to know how to handle one then it becomes easier to get interop. If everyone decides for themselves then interop is less likely since there are currently two choices and may be more in future. I do realise that the background here and current practice is that code tends to be written that is specific to a resource server (or however that's best phrased) but that's maybe where the IETF differs from the community that produced OAuth - here we want two independent implementers who've never talked to produce code that interops even so. I also realise that that's not the full story for getting interop with OAuth and that more is needed. However, this aspect is otherwise fully specified and so I don't buy the argument that this isn't worth doing just because we don't have the full registration story etc. figured out. If we don't sort this out now, then later specs will have to update this one in this respect. possibly making existing code "non-compliant" in some sense, so just going ahead and doing it right now is better. So, pick one (my strong personal preference) or establish and document why you're not picking one seem to me to be the choices available. Regards, Stephen. On 11/17/2011 08:28 AM, Barry Leiba wrote: > Stephen, as AD, brought up the question of mandatory-to-implement > token types, in the IETF 82 meeting. There was some extended > discussion on the point: > > - Stephen is firm in his belief that it's necessary for > interoperability. He notes that mandatory to *implement* is not the > same as mandatory to *use*. > - Several participants believe that without a mechanism for requesting > or negotiating a token type, there is no value in having any type be > mandatory to implement. > > Stephen is happy to continue the discussion on the list, and make his > point clear. In any case, there was clear consensus in the room that > we *should* specify a mandatory-to-implement type, and that that type > be bearer tokens. This would be specified in the base document, and > would make a normative reference from the base doc to the bearer token > doc. > > We need to confirm that consensus on the mailing list, so this starts > the discussion. Let's work on resolving this over the next week or > so, and moving forward: > > 1. Should we specify some token type as mandatory to implement? Why > or why not (*briefly*)? > > 2. If we do specify one, which token type should it be? > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Phil Hunt
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Bart Wiegmans
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- [OAUTH-WG] Fwd: Re: Mandatory-to-implement token … Justin Richer
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Richer, Justin P.
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Dan Taflin
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type John Bradley
- Re: [OAUTH-WG] Mandatory-to-implement token type Anthony Nadalin
- Re: [OAUTH-WG] Mandatory-to-implement token type Paul Madsen
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Marius Scurtescu
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell