IETF Logo Mail Archive

Re: [OAUTH-WG] Basic signature support in the core specification

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 25 September 2010 02:23 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 694103A6ADA for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 19:23:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.794
X-Spam-Level:
X-Spam-Status: No, score=-1.794 tagged_above=-999 required=5 tests=[AWL=-0.602, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obV-j4xbW9E7 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 19:23:02 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 1620D3A6918 for <oauth@ietf.org>; Fri, 24 Sep 2010 19:23:02 -0700 (PDT)
Received: (qmail 21949 invoked from network); 25 Sep 2010 02:23:34 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 25 Sep 2010 02:23:33 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 24 Sep 2010 19:23:33 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>, Eve Maler <eve@xmlgrrl.com>
Date: Fri, 24 Sep 2010 19:23:31 -0700
Thread-Topic: [OAUTH-WG] Basic signature support in the core specification
Thread-Index: ActcR2rGqgi2nQ6FTTqL74J+FQGiewAETqDL
Message-ID: <C8C2AB33.3AD38%eran@hueniverse.com>
In-Reply-To: <01D06BDE-576D-457A-B86E-37D35535C0A7@gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8C2AB333AD38eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 02:23:08 -0000

Most developers don't know if they need signatures! By putting them elsewhere we will be promoting the bearer token approve as the default choice and that's unacceptable to me. It is promoting a specific security compromise (for developer ease) that is far from industry consensus.

I can make the same arguments about assertions. Or any single profile. Or any client credentials type. The bits that are in are based solely on a team effort in trying to accommodate as many people as possible. Seems like those opposed signatures got everything they want, don't really care about others, and are ready to call it a day.

EHL


On 9/24/10 5:20 PM, "Dick Hardt" <dick.hardt@gmail.com> wrote:

That's a confusing answer Eve. Is it in the spec or pointed to from the spec?

I think there is consensus that there are enough use cases that signatures need to be spec'ed -- the question is if the signature spec is in core or a separate spec.

For people that don't need signatures, having them separate keeps the core spec simpler. Having a separate spec enables other groups to reuse the signature mechanism without confusing their readers with the rest of the OAuth spec.

On 2010-09-24, at 1:37 PM, Eve Maler wrote:

> +1 for signature support in the core spec (which may look like normative pointers out to a separate spec module if it turns out there's wider usage for that module beyond OAuth).
>
>       Eve
>
> On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote:
>
>> Since much of this recent debate was done off list, I'd like to ask people
>> to simply express their support or objection to including a basic signature
>> feature in the core spec, in line with the 1.0a signature approach.
>>
>> This is not a vote, just taking the temperature of the group.
>>
>> EHL
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email