Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Eran Hammer-Lahav <> Wed, 29 September 2010 15:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E6463A6D16 for <>; Wed, 29 Sep 2010 08:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BlTs+6us8kr2 for <>; Wed, 29 Sep 2010 08:36:49 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 2CA0B3A6D00 for <>; Wed, 29 Sep 2010 08:36:49 -0700 (PDT)
Received: (qmail 4337 invoked from network); 29 Sep 2010 15:37:32 -0000
Received: from unknown (HELO ( by with SMTP; 29 Sep 2010 15:37:32 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Wed, 29 Sep 2010 08:37:30 -0700
From: Eran Hammer-Lahav <>
To: Mark Mcgloin <>
Date: Wed, 29 Sep 2010 08:37:17 -0700
Thread-Topic: [OAUTH-WG] Looking for a compromise on signatures and other open issues
Thread-Index: Actf6xAX2KvfjTfnS+ev1OlFEd/d9gAABgJg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343D460DB978@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E72343D460DB941@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Sep 2010 15:36:54 -0000

Thanks Mark.

> -----Original Message-----
> From: Mark Mcgloin []
> Sent: Wednesday, September 29, 2010 8:28 AM

> I think acquiring and using a token can be considered core as you always
> need both. I don't have valid security consideration linkage between
> acquiring and using the token to back up my assertion that it may confuse
> developers if we separate them (yet)

Just to be clear, the 'core' designation is completely virtual. No specification will say 'core' in it or position itself as more authoritative than others. OAuth is already a modular protocol with its different profiles and use cases. We have been using this term to talk about the primary document, but with this proposal it is no longer a useful term.

I think that positioning the OAuth name as the 'protocol for exchanging one set of credentials for an access token via HTTP' is useful. What happens next is not always strictly OAuth. This is especially true when the token is used with new or existing schemes that are outside the scope of this working group.