Re: [OAUTH-WG] Basic signature support in the core specification
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 27 September 2010 16:55 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01E103A6B6E for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.792
X-Spam-Level:
X-Spam-Status: No, score=-1.792 tagged_above=-999 required=5 tests=[AWL=-0.599, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bK-8GeufXtYN for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:55:50 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 6ABF93A6D74 for <oauth@ietf.org>; Mon, 27 Sep 2010 09:55:50 -0700 (PDT)
Received: (qmail 6830 invoked from network); 27 Sep 2010 16:56:10 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 27 Sep 2010 16:56:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 27 Sep 2010 09:55:56 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "igor.faynberg@alcatel-lucent.com" <igor.faynberg@alcatel-lucent.com>, Eve Maler <eve@xmlgrrl.com>
Date: Mon, 27 Sep 2010 09:55:59 -0700
Thread-Topic: [OAUTH-WG] Basic signature support in the core specification
Thread-Index: ActeZD8NM6+t6b/DTXqfw5aZUX2MfQAAJqgQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343D460DB36C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C8C2AB33.3AD38%eran@hueniverse.com> <BFD0447E-42BB-441F-A7B3-B0CFB0F6317B@gmail.com> <E0B0A685-4BA7-451B-B0DF-C0FC429595D1@xmlgrrl.com> <4CA0C96E.8090907@alcatel-lucent.com>
In-Reply-To: <4CA0C96E.8090907@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 16:55:52 -0000
Well said. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Igor Faynberg > Sent: Monday, September 27, 2010 9:42 AM > To: Eve Maler > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Basic signature support in the core specification > > I think Torsten's previous comment explains it well: We cannot expect > approval of the core, if security is not sufficiently addressed. I also agree that > it cannot be addressed without the signature mechanism clearly specified. > Therefore, if anything is going to delay the core, it is the absence of the > signature specification. A dangling reference to work in progress won't help; > the referred spec must be there. > > But if both the OAuth signatures and the OAuth core specifications are > complete and going for approval at the same time, why not actually have > them in the same spec, especially given that we experts who have agreed > working on this and ARE working on this? > > > Igor > > > > Eve Maler wrote: > > It seems like you figured it out pretty quickly, given the message you > > sent immediately after. :-) > > > > Referencing another spec from the core spec using normative text is > > effectively "including it by reference". I meant that I'm sympathetic > > (+1) to signaling in core OAuth that signatures are to be considered > > an integral part of it, and that if it makes sense to do so by > > pointing to a spec module that is pointable-to by other specs that are > > not OAuth, that's fine (call it a soft -1 to including the signature > > details directly in the core OAuth spec). > > > > Eve > > > > On 24 Sep 2010, at 10:39 PM, Dick Hardt wrote: > > > >> wrt. developers knowing what they need => I think the AS / PR will > >> tell developers if they need to use signatures, or if they need to > >> use HTTPS, or if they need to use assertions. > >> > >> Sorry for including more than one topic in my email :: my main point > >> was that I was confused by what Eve was proposing. > >> > >> -- Dick > >> > >> > >> On 2010-09-24, at 7:23 PM, Eran Hammer-Lahav wrote: > >> > >>> Most developers don't know if they need signatures! By putting them > >>> elsewhere we will be promoting the bearer token approve as the > >>> default choice and that's unacceptable to me. It is promoting a > >>> specific security compromise (for developer ease) that is far from > >>> industry consensus. > >>> > >>> I can make the same arguments about assertions. Or any single > >>> profile. Or any client credentials type. The bits that are in are > >>> based solely on a team effort in trying to accommodate as many > >>> people as possible. Seems like those opposed signatures got > >>> everything they want, don't really care about others, and are ready > >>> to call it a day. > >>> > >>> EHL > >>> > >>> > >>> On 9/24/10 5:20 PM, "Dick Hardt" <dick.hardt@gmail.com > >>> <x-msg://12/dick.hardt@gmail.com>> wrote: > >>> > >>> That's a confusing answer Eve. Is it in the spec or pointed to > >>> from the spec? > >>> > >>> I think there is consensus that there are enough use cases that > >>> signatures need to be spec'ed -- the question is if the > >>> signature spec is in core or a separate spec. > >>> > >>> For people that don't need signatures, having them separate > >>> keeps the core spec simpler. Having a separate spec enables > >>> other groups to reuse the signature mechanism without confusing > >>> their readers with the rest of the OAuth spec. > >>> > >>> On 2010-09-24, at 1:37 PM, Eve Maler wrote: > >>> > >>> > +1 for signature support in the core spec (which may look like > >>> normative pointers out to a separate spec module if it turns out > >>> there's wider usage for that module beyond OAuth). > >>> > > >>> > Eve > >>> > > >>> > On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote: > >>> > > >>> >> Since much of this recent debate was done off list, I'd like > >>> to ask people > >>> >> to simply express their support or objection to including a > >>> basic signature > >>> >> feature in the core spec, in line with the 1.0a signature > >>> approach. > >>> >> > >>> >> This is not a vote, just taking the temperature of the group. > >>> >> > >>> >> EHL > >>> >> > >>> >> _______________________________________________ > >>> >> OAuth mailing list > >>> >> OAuth@ietf.org <x-msg://12/OAuth@ietf.org> > >>> >> https://www.ietf.org/mailman/listinfo/oauth > >>> > > >>> > > >>> > Eve Maler > >>> http://www.xmlgrrl.com/blog > >>> > +1 425 345 6756 > >>> http://www.twitter.com/xmlgrrl > >>> > > >>> > _______________________________________________ > >>> > OAuth mailing list > >>> > OAuth@ietf.org <x-msg://12/OAuth@ietf.org> > >>> > https://www.ietf.org/mailman/listinfo/oauth > >>> > >>> > >> > > > > > > Eve Maler http://www.xmlgrrl.com/blog > > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > > > ---------------------------------------------------------------------- > > -- > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Basic signature support in the core sp… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Bastian Hofmann
- Re: [OAUTH-WG] Basic signature support in the cor… George Fletcher
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Doreswamy, Rangan
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… David Recordon
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Nat
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Manger, James H
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- [OAUTH-WG] CORRECTION: Re: Basic signature suppor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Anthony Nadalin
- Re: [OAUTH-WG] CORRECTION: Re: Basic signature su… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer