[OAUTH-WG] Mandatory-to-implement token type

Barry Leiba <barryleiba@computer.org> Thu, 17 November 2011 08:28 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 22B0F1F0CF3 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:28:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.84
X-Spam-Status: No, score=-102.84 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3IqzPMjP3PhG for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:28:47 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id A4A941F0CE8 for <oauth@ietf.org>; Thu, 17 Nov 2011 00:28:47 -0800 (PST)
Received: by ggnr5 with SMTP id r5so849655ggn.31 for <oauth@ietf.org>; Thu, 17 Nov 2011 00:28:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=k0JDw2LYNKWbHZjrves376wo5bfz9BnJKYayQKH3RLY=; b=HY0449EKvcDo1NRD0O38sggNWt8eso+pKfAOjDEz8e8Je4QdkwX77mgS6ZVdT+Tlgf DR++S6hNRo0Ys9tx1vMaySy+uuogu3vDfJQSehRDMZG/ASL54W4+e3xbRBnXdQ5b1ol2 xpaanfPyVw8EkxgCW5iUCiGCuol+Ayq2VUIKM=
MIME-Version: 1.0
Received: by with SMTP id v41mr7412972yhk.42.1321518527324; Thu, 17 Nov 2011 00:28:47 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by with HTTP; Thu, 17 Nov 2011 00:28:47 -0800 (PST)
Date: Thu, 17 Nov 2011 16:28:47 +0800
X-Google-Sender-Auth: O_XurPENFZpnOyfguMW5dALkCgs
Message-ID: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 08:28:48 -0000

Stephen, as AD, brought up the question of mandatory-to-implement
token types, in the IETF 82 meeting.  There was some extended
discussion on the point:

- Stephen is firm in his belief that it's necessary for
interoperability.  He notes that mandatory to *implement* is not the
same as mandatory to *use*.
- Several participants believe that without a mechanism for requesting
or negotiating a token type, there is no value in having any type be
mandatory to implement.

Stephen is happy to continue the discussion on the list, and make his
point clear.  In any case, there was clear consensus in the room that
we *should* specify a mandatory-to-implement type, and that that type
be bearer tokens.  This would be specified in the base document, and
would make a normative reference from the base doc to the bearer token

We need to confirm that consensus on the mailing list, so this starts
the discussion.  Let's work on resolving this over the next week or
so, and moving forward:

1. Should we specify some token type as mandatory to implement?  Why
or why not (*briefly*)?

2. If we do specify one, which token type should it be?

Barry, as chair