Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Mark Mcgloin <> Wed, 29 September 2010 07:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 320883A6B23; Wed, 29 Sep 2010 00:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MgzTSk5KghKx; Wed, 29 Sep 2010 00:55:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CADE63A6C3F; Wed, 29 Sep 2010 00:55:20 -0700 (PDT)
Received: from ( []) by (8.13.1/8.13.1) with ESMTP id o8T7u2Em020383; Wed, 29 Sep 2010 07:56:02 GMT
Received: from ( []) by (8.13.8/8.13.8/NCO v10.0) with ESMTP id o8T7u2p73158250; Wed, 29 Sep 2010 08:56:02 +0100
Received: from (loopback []) by (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id o8T7u2E4018872; Wed, 29 Sep 2010 01:56:02 -0600
Received: from ( []) by (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id o8T7u1Xq018867; Wed, 29 Sep 2010 01:56:02 -0600
In-Reply-To: <>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
X-KeepSent: 4576070A:5F974BC0-802577AD:002AB50B; type=4; name=$KeepSent
To: Dick Hardt <>
X-Mailer: Lotus Notes Release 8.5.1 September 28, 2009
Message-ID: <>
From: Mark Mcgloin <>
Date: Wed, 29 Sep 2010 08:55:26 +0100
X-MIMETrack: Serialize by Router on D06ML093/06/M/IBM(Release 8.0.2FP6|July 15, 2010) at 29/09/2010 08:55:28
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: "OAuth WG (" <>,
Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Sep 2010 07:55:22 -0000

I echo Dick's sentiment, mildly

-1 to splitting acquiring and using a token. It may not confuse people
actively engaged in the WG but what about everyone else?

Also, as Torsten and I look at security considerations, I wonder if there
are some examples that link the threat model for acquiring a token and
using a token.  So:

1) Will the decisions a service provider make when granting a token depend
on, or affect, the use case for using that token?
2) Will the use case, grant type or other flow parameters a client selects
for acquiring a token, depend on how they will use that token?

I don't have concrete examples to back this up but possibilities include:
automatic granting of access token, refresh tokens, non-secure channels, ??

Mark McGloin

Dick Hardt wrote on 29/09/2010 01:08

> I am mildly concerned that breaking the spec into multiple parts makes it
harder for the spec reader to understand what is going on. Where does a
complete example of > getting and using a token? Imagine how confusing HTTP
would be if the request and response were in separate specs.