Re: [OAUTH-WG] OAuth WRAP
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 10 November 2009 21:46 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0B73A6B8E for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:46:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q+Tlp-yNWPZ2 for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:46:00 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id E89503A6B8B for <oauth@ietf.org>; Tue, 10 Nov 2009 13:45:59 -0800 (PST)
Received: (qmail 30640 invoked from network); 10 Nov 2009 21:46:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 10 Nov 2009 21:46:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 10 Nov 2009 14:46:26 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Paul C. Bryan" <email@pbryan.net>, "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 10 Nov 2009 14:46:25 -0700
Thread-Topic: [OAUTH-WG] OAuth WRAP
Thread-Index: AcpiTnA3HYJjRkbzR1yzqhSLl6hYoQAAM/U7
Message-ID: <C71F1F31.28821%eran@hueniverse.com>
In-Reply-To: <1257889230.10242.53.camel@localhost>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C71F1F3128821eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 21:46:07 -0000
Not really. It is more about who you listen to than who is speaking. EHL On 11/10/09 1:40 PM, "Paul C. Bryan" <email@pbryan.net> wrote: Hi Eran: Thanks for your clarification. It seems to me that without simple guidelines on what's reasonable to be called "OAuth", anyone can propose a protocol that purports to be related in some way to OAuth, at the expense of community confusion and dilution of its meaning. Is there a way to mitigate this kind of occurrence other than by simply dismissing it as noise? Paul On Tue, 2009-11-10 at 14:16 -0700, Eran Hammer-Lahav wrote: > My 2c: > > WRAP was developed out of necessity due to limitations in OAuth and > product release schedule. Without going into too much detail about > whether a whole new protocol was really necessary, the WRAP authors > felt that it was, and that their timeline could not accommodate > waiting for the OAUTH WG to accommodate their use cases in the new > version of the spec. We now have a new and separate spec in the space. > > I have encouraged the authors to submit their spec as input for the WG > and to collaborate to make the upcoming WG spec cover their use case. > The goal would be to render the separate WRAP spec unnecessary. How > they or others would choose to apply this to their implementation is > beyond my control or (TBH) interest. > > Most of the innovative ideas in WRAP are around the delegation flow > (and there are some good ideas in there). I plan to use some of that > as the basis for the new delegation spec. On the authentication side, > WRAP uses bearer token with no crypto which will be supported by the > PLAIN flavor. > > As for how to manage community expectations, the OAuth brand, etc.: I > was opposed to putting WRAP under the OAuth brand (the entire effort > started as "Simple OAuth"). Others felt that pretending WRAP was an > OAuth profile (it is not) and naming it as such would be less > confusing or less damaging to the OAuth brand (if you call it the same > thing, there is no competition). I didn't care enough to (continue) > that argument given my view that by the time WRAP will get the wide > attention OAuth has, this WG will produce stable drafts of the new > OAuth and will make this irrelevant. > > EHL > > > > > On 11/10/09 11:56 AM, "Paul C. Bryan" <email@pbryan.net> wrote: > > I guess I must admit I'm a bit surprised that the general > consensus > would be to merge with/profile WRAP as OAuth, as the deltas > between the > two protocols as defined seems quite substantial. Does this > mean that > for all intents and purposes I should consider the existing > OAuth IETF > drafts to date to be deprecated in favour of WRAP? > > Paul > > On Tue, 2009-11-10 at 19:46 +0000, Dick Hardt wrote: > > Good question. Given the positive reception WRAP received at > IIW and > > that capabilities in WRAP are expected to come out of the > work in the > > IETF OAuth WG, there was consensus from the OAuth community > to include > > WRAP as OAuth profiles. > > > > -- Dick > > > > On 2009-11-10, at 10:06 AM, "Paul C. Bryan" > <email@pbryan.net> wrote: > > > > > Hi Dick: > > > > > > Given that WRAP is so different from OAuth (as I know it), > other than > > > the fact that OAuth could be used to negotiate the > issuance of a WRAP > > > refresh token, I'm curious why you chose to associate this > with > > > OAuth by > > > giving it an "OAuth" prefix. It seems to me that it would > only create > > > confusion in this space. > > > > > > Paul > > > > > > On Tue, 2009-11-10 at 17:52 +0000, Dick Hardt wrote: > > >> At IIW last week, myself, Biran Eaton from Google and > Allen Tom from > > >> Yahoo! presented what is now called OAuth WRAP > > >> > > >> The specs and discussion specific to those documents is > at: > > >> > > >> http://groups.google.com/group/oauth-wrap-wg > > >> > > >> We plan to submit the document as an I-D next week when > I-D > > >> submission > > >> is open again, and for further work to occur in the IETF > OAuth WG. > > >> > > >> -- Dick > > >> _______________________________________________ > > >> OAuth mailing list > > >> OAuth@ietf.org > > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)