IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 07 September 2011 00:06 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F67621F8ABE for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 17:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICoLaI-7Vp71 for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 17:06:08 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 843FC21F8AB0 for <oauth@ietf.org>; Tue, 6 Sep 2011 17:06:08 -0700 (PDT)
Received: (qmail 20687 invoked from network); 7 Sep 2011 00:07:55 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 7 Sep 2011 00:07:54 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 6 Sep 2011 17:07:45 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Aiden Bell <aiden449@gmail.com>
Date: Tue, 06 Sep 2011 17:07:37 -0700
Thread-Topic: [OAUTH-WG] problem statement
Thread-Index: Acxs8isnEL2PlvMMQzST9oaf1ZGMCQ==
Message-ID: <0D972529-49A4-4762-B2D3-5922F9EB444E@hueniverse.com>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <CA+5SmTV=CR9x_aAtr=Vyyx5a8o7N94L=EVCif79uHwTVbo5ZSA@mail.gmail.com>
In-Reply-To: <CA+5SmTV=CR9x_aAtr=Vyyx5a8o7N94L=EVCif79uHwTVbo5ZSA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_0D97252949A44762B2D35922F9EB444Ehueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 00:06:09 -0000

Write content and ping me off list. To avoid confusion, note that oauth.net<http://oauth.net> has nothing to do with this list and the IETF.

EHL

On Sep 6, 2011, at 16:12, "Aiden Bell" <aiden449@gmail.com<mailto:aiden449@gmail.com>> wrote:

Perhaps a solution is to push OAuth.net<http://OAuth.net> as more of a "everything you ever wanted to know about OAuth"
and direct non-core issues there for a page of good content to be created. This way the RFC can focus on the
issue at hand and broader scope can be taken care of without having a 40+ thread on something like this.

Developers can still have a voice on these things, even if it isn't directly through the RFC.

I feel strongly enough that I would be willing to help here. Let me know if I can be of any assistance
in having these things dealt with more appropriately through something like that.

Aiden

On 6 September 2011 23:27, Eran Hammer-Lahav <<mailto:eran@hueniverse.com>eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
It is a problem. For a few months now we have been going through this over and over again. The longer we work on this draft the more of this two-sentence changes people suggest. They don't make the document any better, create a false sense of comprehensiveness, and just further delay being done.

So yeah, unless you can prove that there is an actual problem, we are done.

EHL

On Sep 6, 2011, at 15:22, "Melinda Shore" <<mailto:melinda.shore@gmail.com>melinda.shore@gmail.com<mailto:melinda.shore@gmail.com>> wrote:

> On 09/06/2011 12:59 PM, John Kemp wrote:
>> The point is that you have a point.
>
> He does, and that's in some large part why I don't
> fully understand the temperature of the responses.
> I do not think it's a particularly big deal to stick
> a couple of sentences in the security considerations
> underscoring the fact that OAUTH can't do anything
> about a compromised host or a malicious application.
> I've learned to live with the fact that sometimes
> people implementing or deploying security technologies
> don't fully understand them and it's my impression that
> there's some number of people out there who think that
> OAUTH and other third-party protocols provide sufficient
> protection against password snagging.
>
> Melinda
> _______________________________________________
> OAuth mailing list
> <mailto:OAuth@ietf.org> OAuth@ietf.org<mailto:OAuth@ietf.org>
> <https://www.ietf.org/mailman/listinfo/oauth> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
<mailto:OAuth@ietf.org>OAuth@ietf.org<mailto:OAuth@ietf.org>
<https://www.ietf.org/mailman/listinfo/oauth>https://www.ietf.org/mailman/listinfo/oauth



--
------------------------------------------------------------------
Never send sensitive or private information via email unless it is encrypted. <http://www.gnupg.org> http://www.gnupg.org

v2.23.0 | Report a Bug | By Email