IETF Logo Mail Archive

Re: [OAUTH-WG] Basic signature support in the core specification

Dick Hardt <dick.hardt@gmail.com> Sat, 25 September 2010 19:24 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFD1E3A6BBA for <oauth@core3.amsl.com>; Sat, 25 Sep 2010 12:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.515
X-Spam-Level:
X-Spam-Status: No, score=-2.515 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Txi7NVFGtv+s for <oauth@core3.amsl.com>; Sat, 25 Sep 2010 12:24:42 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 870043A6B53 for <oauth@ietf.org>; Sat, 25 Sep 2010 12:24:42 -0700 (PDT)
Received: by pvg7 with SMTP id 7so1198851pvg.31 for <oauth@ietf.org>; Sat, 25 Sep 2010 12:25:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=fhOcvLdHgyjDMfgRjSCI3A9utNn7Etrl4TKAIwS2LUI=; b=P0mCTkR09CPfHo0FJGC8ZMBgrpYFbxYP1w5HI1MxVB8ADQ9cAR3UbDE/pBW90hw5PR /WbRHdcjfkGJgqZUowlznN1zmnZhodxkQ1XKOSQJpitoXs8qp7n2lLiKolmeRS3MeXPH HOmJ+Di1+Kqr9Pgwt1lTMZYElv5sDinxptfQE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=h3g+cj1aiwzqTpDyB68OTJ/b/Rob8y1CKVyZIm61LtR4rI+oKXq21lR6CijI0Nf+8S aq15LYBot9UsFMRhU9U+3OQcQib0yNEBLUJTH2UxHIg7Kf5hU0cAUOXnhMN6zogiCDZv K1FkmNWILY7wsfVR5CDJX3WWP/A5YhxZtTlfg=
Received: by 10.114.160.2 with SMTP id i2mr5680105wae.110.1285442717102; Sat, 25 Sep 2010 12:25:17 -0700 (PDT)
Received: from [192.168.1.5] ([24.130.32.55]) by mx.google.com with ESMTPS id d38sm6377683wam.20.2010.09.25.12.25.14 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 25 Sep 2010 12:25:15 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/alternative; boundary="Apple-Mail-9-45351160"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <C8C35B36.3AD83%eran@hueniverse.com>
Date: Sat, 25 Sep 2010 12:25:12 -0700
Message-Id: <F14A4DB3-4C93-4566-BCFD-6FB5CAC260C5@gmail.com>
References: <C8C35B36.3AD83%eran@hueniverse.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1081)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 19:24:43 -0000

To be clear, I think signatures are important, and I think that standardizing them would be really useful. One of the early complaints about OAuth 1.0 was that the signature mechanism was different than the OpenID mechanism. Having a standard signature mechanism in this space seems like a good thing. Having a signature mechanism be an optional part of the OAuth spec makes them less appealing to others.

I also think that standard tokens are really useful, and that they would be useful in other places besides OAuth, which is why they are in a different spec.

On 2010-09-25, at 7:54 AM, Eran Hammer-Lahav wrote:

> My logic is that your suggested organization is based on your personal preferences and what you consider core. If I applied my personal preference, half of core would be elsewhere. My point is that deciding signatures is the part belonging elsewhere is completely subjective to how important one think it is.
> 
> EHL
> 
> 
> On 9/24/10 10:43 PM, "Dick Hardt" <dick.hardt@gmail.com> wrote:
> 
> I don't follow your logic ... or perhaps I don't see why the spec needs to be written in more than two parts.
> 
> For example, the current spec does not specify the format of the token -- which keeps it simpler and straight forward. There are separate draft specs for standardizing the token. Similarly, I think the spec could be written to not include signatures, and put signatures into a different, reusable spec. If you would like help with that organization, I'll volunteer. :)
> 
> -- Dick
> 
> On 2010-09-24, at 7:24 PM, Eran Hammer-Lahav wrote:
> 
> I’m happy to do that. But I will be breaking the spec into more than two parts. Basically, I will be creating a version that does not force anyone to read anything they might not care about. Clearly, we shouldn’t based editorial decisions on what you want to read :-)
> 
> EHL
> 
> 
> On 9/24/10 5:21 PM, "Dick Hardt" <dick.hardt@gmail.com <x-msg://14/dick.hardt@gmail.com> > wrote:
> 
> -1 in core
> 
> +1 to being referenced in core and being a separate document
> 
> On 2010-09-23, at 6:43 PM, Eran Hammer-Lahav wrote:
> 
> > Since much of this recent debate was done off list, I'd like to ask people
> > to simply express their support or objection to including a basic signature
> > feature in the core spec, in line with the 1.0a signature approach.
> >
> > This is not a vote, just taking the temperature of the group.
> >
> > EHL
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <x-msg://14/OAuth@ietf.org> 
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email