IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of -22

Justin Richer <jricher@mitre.org> Thu, 03 November 2011 12:46 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AA811E80D2 for <oauth@ietfa.amsl.com>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3-Ebyjp+mmA for <oauth@ietfa.amsl.com>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4F07D11E80AC for <oauth@ietf.org>; Thu, 3 Nov 2011 05:46:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E822A21B0835; Thu, 3 Nov 2011 08:46:23 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D26DD21B03EC; Thu, 3 Nov 2011 08:46:23 -0400 (EDT)
Received: from [129.83.50.1] (129.83.31.55) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Thu, 3 Nov 2011 08:46:23 -0400
Message-ID: <1320324374.15549.29.camel@ground>
From: Justin Richer <jricher@mitre.org>
To: William Mills <wmills@yahoo-inc.com>
Date: Thu, 03 Nov 2011 08:46:14 -0400
In-Reply-To: <1320274139.8042.YahooMailNeo@web31809.mail.mud.yahoo.com>
References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> , <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1320274139.8042.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.1-
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 12:46:25 -0000

This is exactly what I was thinking of. If a given token type is MTI for
clients, but servers can do whatever they want (this, as I read it, is
what was suggested), how does the MTI bit help interop at all?

 -- Justin

On Wed, 2011-11-02 at 15:48 -0700, William Mills wrote:
> I actually think the protected resource specifies the token type(s) in
> either it's service docs or discovery information, and it does know
> knowing it's authentication server will issue compatible tokens.  The
> client may encounter endpoints requiring token types it doesn't
> support, and it needs to fail gracefully.  The client may select any
> supported OAuth 2 scheme it understands which the PR supports.
> 
> 
> 
> I am not in favor of specifying MUST for any particular flavor of
> token.
> 
> 
> What is the value of mandating a token type?
> 
> 
> 
> -bill
> 
> 
> 
> 
> ______________________________________________________________________
> From: Eran Hammer-Lahav <eran@hueniverse.com>
> To: John Bradley <ve7jtb@ve7jtb.com>; Torsten Lodderstedt
> <torsten@lodderstedt.net>
> Cc: "oauth@ietf.org" <oauth@ietf.org>
> Sent: Wednesday, November 2, 2011 1:11 PM
> Subject: Re: [OAUTH-WG] AD review of -22
> 
> Do you want to see no change or adjust it to client must implement
> both, server decides which to use.
>  
> EHL
>  
> 
> ______________________________________________________________________
> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of
> John Bradley [ve7jtb@ve7jtb.com]
> Sent: Wednesday, November 02, 2011 1:06 PM
> To: Torsten Lodderstedt
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of -22
> 
> 
> 
> +1
> On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
> 
> > Hi Stephen,
> > 
> > I'm concerned about your proposal (7) to make support for MAC a MUST
> > for clients and BEARER a MAY only. In my opinion, this does not
> > reflect the group's consensus. Beside this, the security threat
> > analysis justifies usage of BEARER for nearly all use cases as long
> > as HTTPS (incl. server authentication) can be utilized.
> > regards,
> > Torsten.
> > 
> > Am 13.10.2011 19:13, schrieb Stephen Farrell: 
> > > 
> > > Hi all, 
> > > 
> > > Sorry for having been quite slow with this, but I had a bunch 
> > > of travel recently. 
> > > 
> > > Anyway, my AD comments on -22 are attached. I think that the 
> > > first list has the ones that need some change before we push 
> > > this out for IETF LC, there might or might not be something 
> > > to change as a result of the 2nd list of questions and the 
> > > rest are really nits can be handled either now or later. 
> > > 
> > > Thanks for all your work on this so far - its nearly there 
> > > IMO and we should be able to get the IETF LC started once 
> > > these few things are dealt with. 
> > > 
> > > Cheers, 
> > > S. 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email