IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 13 May 2010 21:14 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B89F13A6D39 for <oauth@core3.amsl.com>; Thu, 13 May 2010 14:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.093
X-Spam-Level:
X-Spam-Status: No, score=-1.093 tagged_above=-999 required=5 tests=[AWL=-1.094, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfW+7utwAoVs for <oauth@core3.amsl.com>; Thu, 13 May 2010 14:14:25 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 4D94E3A6D21 for <oauth@ietf.org>; Thu, 13 May 2010 14:14:24 -0700 (PDT)
Received: (qmail 10029 invoked from network); 13 May 2010 21:14:13 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 13 May 2010 21:14:13 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 13 May 2010 14:14:11 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Yaron Goland <yarong@microsoft.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Thu, 13 May 2010 14:14:24 -0700
Thread-Topic: Open Issues: Group Survey (respond by 5/13)
Thread-Index: Acrvu4cfH3LKPgwRQV+7sW5YxUA1vAC/+jNgAAhGIwAAAP6TwA==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343B3B698808@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com>
In-Reply-To: <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 21:14:31 -0000

There is clearly no consensus for either A or B. There was mostly no objection to C, and the reason given by most of those who objected was client complexity with the current proposal solves.

Weak consensus means that the option has some support and little objection. If those who had something against C still think the solution doesn't address their reason for voting against it, they are free (as always) to express their objections again.

Unlike other features of the spec which we can keep out while discussing it, this one is critical and the spec is completely useless without. It is far better to have support for three options (with the option of moving two to an extension document with the format parameter) than to pick one and then change it.

I believe there was enough support for putting C in the draft. If you have a problem with that, feel free to ask the chairs for a different resolution.

EHL

> -----Original Message-----
> From: Yaron Goland [mailto:yarong@microsoft.com]
> Sent: Thursday, May 13, 2010 1:50 PM
> To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> Subject: RE: Open Issues: Group Survey (respond by 5/13)
> 
> I went through and counted all the votes I could find in the mail archive (I
> have reproduced the results below). 8 people explicitly stated a preference
> for A or B (of those 4 explicitly stated they don't want C). Only 3 people voted
> for C as their first choice.
> 
> Even if we bunch together people who voted for C and people who could live
> with C (but picked another option as their first choice) that is still only 5 who
> expressed any level of preference for C versus 6 people who didn't pick C at
> all.
> 
> Given these numbers I am at a loss to understand why you believe a
> consensus (weak or otherwise) exists for C. Could you please explain your
> reasoning?
> 
> 	Thanks,
> 
> 		Yaron
> 
> Vivek Khurana - A or B but not C
> Yaron Goland - A then B but not C
> David Waite - A or B but doesn't like C
> Mike Moore - A (but not C)
> Dick Hardt - B
> James H Manger - B
> 
> Torsten Lodderstedt - B but could live with C Joseph Smarr - B but could live
> with C
> 
> Justin P. Richer - C
> Eran Hammer-Lahav - C
> David Recordon - C
> 
> Mark Mcgloin - No preference
> 
> 
> 
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Eran Hammer-Lahav
> > Sent: Thursday, May 13, 2010 10:01 AM
> > To: OAuth WG (oauth@ietf.org)
> > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
> >
> > Thanks to those who participated!
> >
> > Some conclusions:
> >
> > > 1. Server Response Format
> > >
> > > After extensive debate, we have a large group in favor of using JSON
> > > as the only response format (current draft). We also have a smaller
> > > group but with stronger feelings on the subject that JSON adds
> > > complexity with no obvious value.
> > >
> > > A. Form-encoded only (original draft) B. JSON only (current draft)
> > > C. JSON as default with form-encoded and XML available with an
> > > optional request parameter
> >
> > It seems like we have weak consensus to go with C where the server
> > must support all three formats, and the client can use either one.
> > This approach addresses most of the concerns around client complexity
> > / size. Only one person strongly objected to C (without an explanation
> > that can be addressed). Summing up the results was hard because many
> > people had no strong preference between A and B but with each of the
> > three options received about a third of the votes.
> >
> > My guess is that if we held another vote asking if the spec should
> > only support form-encoded or all three - all three will get most of
> > the votes (and same if we made JSON the only option or all three).
> > This is why C is really the only way to move forward at this point. We
> > can revisit this later if implementation experience shows supporting
> > all three in this manner is a problem.
> >
> > I am going to add this to the specification as a point of reference
> > for future discussions.
> >
> > > 2. Client Authentication (in flows)
> > >
> > > How should the client authenticate when making token requests? The
> > > current draft defines special request parameters for sending client
> > > credentials. Some have argued that this is not the correct way, and
> > > that the client should be using existing HTTP authentication schemes
> > > to accomplish that such as Basic.
> > >
> > > A. Client authenticates by sending its credentials using special
> > > parameters (current draft) B. Client authenticated by using HTTP
> > > Basic (or other schemes supported by the server such as Digest)
> >
> > Weak consensus to support both request parameters and HTTP Basic
> > authentication (with other schemes as optional). I will add a new
> > section to the draft allowing replacing the parameters with an HTTP
> > authentication header. The flows text will remain the same.
> >
> > EHL
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email