Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -02

William Mills <wmills@yahoo-inc.com> Fri, 28 January 2011 22:51 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 567B13A68B7 for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 14:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.531
X-Spam-Level:
X-Spam-Status: No, score=-17.531 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RDNS_DOTCOM_HELO=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENjKINMZojMl for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 14:51:38 -0800 (PST)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by core3.amsl.com (Postfix) with ESMTP id 4E5CC3A67EC for <oauth@ietf.org>; Fri, 28 Jan 2011 14:51:38 -0800 (PST)
Received: from SP2-EX07CAS02.ds.corp.yahoo.com (sp2-ex07cas02.corp.sp2.yahoo.com [98.137.59.38]) by mrout3.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id p0SMsQEB051933; Fri, 28 Jan 2011 14:54:26 -0800 (PST)
Received: from SP2-EX07VS06.ds.corp.yahoo.com ([98.137.59.24]) by SP2-EX07CAS02.ds.corp.yahoo.com ([98.137.59.38]) with mapi; Fri, 28 Jan 2011 14:54:26 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Fri, 28 Jan 2011 14:54:24 -0800
Thread-Topic: OAuth 2.0 Bearer Token Specification draft -02
Thread-Index: Acu/M2Nlc5Ah9YfFTfu+PALXm4nBEQACbVYA
Message-ID: <FFDFD7371D517847AD71FBB08F9A31563848E7D3F7@SP2-EX07VS06.ds.corp.yahoo.com>
References: <4E1F6AAD24975D4BA5B1680429673943246FD307@TK5EX14MBXC202.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943246FD307@TK5EX14MBXC202.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_FFDFD7371D517847AD71FBB08F9A31563848E7D3F7SP2EX07VS06ds_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 22:51:42 -0000

I'd like to add my objection to using "OAuth2" as the scheme name for the access token.  It's confusing in my opinion.  I would much prefer (in my own order of preference): " oauth_bearer", "oauth2_bearer", or "bearer".  I think including OAuth in the name makes sense because it is defined in that context, but we've already talked about other possible token types.

Is there any argument in favor of simply using "OAuth2" that offsets the possible confusion and muddiness?

-bill

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, January 28, 2011 1:36 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -02

I've published draft 02 of the bearer token specification.  This incorporates consensus feedback received to date.  It contains no normative changes relative to draft 01.  Your feedback is solicited.  Specific changes were:

*         Changed terminology from "token reuse" to "token capture and replay".

*         Removed sentence "Encrypting the token contents is another alternative" from the security considerations since it was redundant and potentially confusing.

*         Corrected some references to "resource server" to be "authorization server" in the security considerations.

*         Generalized security considerations language about obtaining consent of the resource owner.

*         Broadened scope of security considerations description for recommendation "Don't pass bearer tokens in page URLs".

*         Removed unused reference to OAuth 1.0.

*         Updated reference to framework specification and updated David Recordon's e-mail address.

*         Removed security considerations text on authenticating clients.

*         Registered the "OAuth2" OAuth access token type and "oauth_token" parameter.

The draft is available at these locations:

*         http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-02.txt

*         http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-02.xml

*         http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.html

*         http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.txt

*         http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.xml

*         http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion repository, with html, txt, and html versions available)

This version is explicitly not ready for working group last call, as changes may need to be made due to the open issues in the framework spec about the removal of the Client Assertion Credentials and OAuth2 HTTP Authentication Scheme.

                                                                -- Mike