Re: [OAUTH-WG] Security area review

Barry Leiba <> Mon, 08 August 2011 13:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2690121F86BE for <>; Mon, 8 Aug 2011 06:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.049
X-Spam-Status: No, score=-103.049 tagged_above=-999 required=5 tests=[AWL=-0.072, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DpYD7oHcQPhZ for <>; Mon, 8 Aug 2011 06:14:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6D5DC21F86BD for <>; Mon, 8 Aug 2011 06:14:43 -0700 (PDT)
Received: by gxk19 with SMTP id 19so885044gxk.31 for <>; Mon, 08 Aug 2011 06:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=nkThGe3qT856bg7ANUiuwSiegZ6vtEeFhCzSGu3kFSc=; b=nyKA1UzEJECV1XaEbaSxV6vlOF7GFOcSBPRNB/4N8teuMUWgR7aiJpHySM02wOnv8m 0PYCfa909unDhteAARPX4qITH8AJMw/l4f48dgpuWR2keNRItFmsgga0wsw3M5rXJ4kz LGge33an8Y5ai7/mjnD64/LhIcJ17feQ6sRMw=
MIME-Version: 1.0
Received: by with SMTP id b30mr1201962yhe.213.1312809305613; Mon, 08 Aug 2011 06:15:05 -0700 (PDT)
Received: by with HTTP; Mon, 8 Aug 2011 06:15:05 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345024864B07@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72345024864A96@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E72345024864B07@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 08 Aug 2011 09:15:05 -0400
X-Google-Sender-Auth: 6ISUkoeaj571Jl5S5jNSOw4lTcQ
Message-ID: <>
From: Barry Leiba <>
To: Eran Hammer-Lahav <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] Security area review
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Aug 2011 13:14:44 -0000

> But this still puzzles me. After two years in the application area where IMO this
> working clearly belongs, we were moved to the security area under the premise
> of increased review and engagement from the security area.

I can't speak for the IESG, and it's they who made the decision to
move the WG.  But I can say that I disagree that it "clearly belongs"
in the App area.  From the start, I was puzzled why it wasn't
chartered in the Sec area; OAuth is, to me, a security protocol that's
used at the app layer (as opposed to an app protocol that happens to
include security).  DKIM was in a similar situation -- having bits in
both areas -- and in 2006 was chartered in Sec... and that one seemed
even more that it should have been in Apps.

We have puzzling situations often, these days, where working groups
"clearly belong" in more than one area, and the way things currently
work, the IESG has to choose.  ALTO might have been in RAI or App, was
chartered in App, and now is in TSV.  We've had a few recently
chartered WGs where there was some debate about which area they belong
in.  I've thought for some time that we should have multi-area WGs,
but that's not the case now.

Don't pay too much attention to which AD manages the WG.