Re: [OAUTH-WG] AD review of -22
Justin Richer <jricher@mitre.org> Thu, 03 November 2011 12:46 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AA811E80D2 for <oauth@ietfa.amsl.com>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3-Ebyjp+mmA for <oauth@ietfa.amsl.com>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4F07D11E80AC for <oauth@ietf.org>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E822A21B0835; Thu, 3 Nov 2011 08:46:23 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D26DD21B03EC; Thu, 3 Nov 2011 08:46:23 -0400 (EDT)
Received: from [129.83.50.1] (129.83.31.55) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Thu, 3 Nov 2011 08:46:23 -0400
Message-ID: <1320324374.15549.29.camel@ground>
From: Justin Richer <jricher@mitre.org>
To: William Mills <wmills@yahoo-inc.com>
Date: Thu, 03 Nov 2011 08:46:14 -0400
In-Reply-To: <1320274139.8042.YahooMailNeo@web31809.mail.mud.yahoo.com>
References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> , <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1320274139.8042.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.1-
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 12:46:25 -0000
This is exactly what I was thinking of. If a given token type is MTI for clients, but servers can do whatever they want (this, as I read it, is what was suggested), how does the MTI bit help interop at all? -- Justin On Wed, 2011-11-02 at 15:48 -0700, William Mills wrote: > I actually think the protected resource specifies the token type(s) in > either it's service docs or discovery information, and it does know > knowing it's authentication server will issue compatible tokens. The > client may encounter endpoints requiring token types it doesn't > support, and it needs to fail gracefully. The client may select any > supported OAuth 2 scheme it understands which the PR supports. > > > > I am not in favor of specifying MUST for any particular flavor of > token. > > > What is the value of mandating a token type? > > > > -bill > > > > > ______________________________________________________________________ > From: Eran Hammer-Lahav <eran@hueniverse.com> > To: John Bradley <ve7jtb@ve7jtb.com>; Torsten Lodderstedt > <torsten@lodderstedt.net> > Cc: "oauth@ietf.org" <oauth@ietf.org> > Sent: Wednesday, November 2, 2011 1:11 PM > Subject: Re: [OAUTH-WG] AD review of -22 > > Do you want to see no change or adjust it to client must implement > both, server decides which to use. > > EHL > > > ______________________________________________________________________ > From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of > John Bradley [ve7jtb@ve7jtb.com] > Sent: Wednesday, November 02, 2011 1:06 PM > To: Torsten Lodderstedt > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] AD review of -22 > > > > +1 > On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote: > > > Hi Stephen, > > > > I'm concerned about your proposal (7) to make support for MAC a MUST > > for clients and BEARER a MAY only. In my opinion, this does not > > reflect the group's consensus. Beside this, the security threat > > analysis justifies usage of BEARER for nearly all use cases as long > > as HTTPS (incl. server authentication) can be utilized. > > regards, > > Torsten. > > > > Am 13.10.2011 19:13, schrieb Stephen Farrell: > > > > > > Hi all, > > > > > > Sorry for having been quite slow with this, but I had a bunch > > > of travel recently. > > > > > > Anyway, my AD comments on -22 are attached. I think that the > > > first list has the ones that need some change before we push > > > this out for IETF LC, there might or might not be something > > > to change as a result of the 2nd list of questions and the > > > rest are really nits can be handled either now or later. > > > > > > Thanks for all your work on this so far - its nearly there > > > IMO and we should be able to get the IETF LC started once > > > these few things are dealt with. > > > > > > Cheers, > > > S. > > > > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Phil Hunt
- Re: [OAUTH-WG] AD review of -22 Justin Richer
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Mike Jones
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 Phillip Hunt
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 André DeMarre
- Re: [OAUTH-WG] AD review of -22 William Mills
- Re: [OAUTH-WG] AD review of -22 Justin Richer
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Phil Hunt
- Re: [OAUTH-WG] AD review of -22 Michael Thomas
- Re: [OAUTH-WG] AD review of -22 William Mills