Re: [OAUTH-WG] Security area review
Barry Leiba <barryleiba@computer.org> Mon, 08 August 2011 13:14 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2690121F86BE for <oauth@ietfa.amsl.com>; Mon, 8 Aug 2011 06:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.049
X-Spam-Level:
X-Spam-Status: No, score=-103.049 tagged_above=-999 required=5 tests=[AWL=-0.072, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpYD7oHcQPhZ for <oauth@ietfa.amsl.com>; Mon, 8 Aug 2011 06:14:43 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5DC21F86BD for <oauth@ietf.org>; Mon, 8 Aug 2011 06:14:43 -0700 (PDT)
Received: by gxk19 with SMTP id 19so885044gxk.31 for <oauth@ietf.org>; Mon, 08 Aug 2011 06:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=nkThGe3qT856bg7ANUiuwSiegZ6vtEeFhCzSGu3kFSc=; b=nyKA1UzEJECV1XaEbaSxV6vlOF7GFOcSBPRNB/4N8teuMUWgR7aiJpHySM02wOnv8m 0PYCfa909unDhteAARPX4qITH8AJMw/l4f48dgpuWR2keNRItFmsgga0wsw3M5rXJ4kz LGge33an8Y5ai7/mjnD64/LhIcJ17feQ6sRMw=
MIME-Version: 1.0
Received: by 10.236.76.170 with SMTP id b30mr1201962yhe.213.1312809305613; Mon, 08 Aug 2011 06:15:05 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.236.207.132 with HTTP; Mon, 8 Aug 2011 06:15:05 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345024864B07@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72345024864A96@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAC4RtVBV-Pcv9NL_aHPFvU5s9f=W0-Hzuh3tAXD3TGf+j6nbXw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345024864B07@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 08 Aug 2011 09:15:05 -0400
X-Google-Sender-Auth: 6ISUkoeaj571Jl5S5jNSOw4lTcQ
Message-ID: <CALaySJJU3S3gWBdqVhOqeqAaas+O9GkXoBtLLN0ub-NMpCVF1Q@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Security area review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2011 13:14:44 -0000
> But this still puzzles me. After two years in the application area where IMO this > working clearly belongs, we were moved to the security area under the premise > of increased review and engagement from the security area. I can't speak for the IESG, and it's they who made the decision to move the WG. But I can say that I disagree that it "clearly belongs" in the App area. From the start, I was puzzled why it wasn't chartered in the Sec area; OAuth is, to me, a security protocol that's used at the app layer (as opposed to an app protocol that happens to include security). DKIM was in a similar situation -- having bits in both areas -- and in 2006 was chartered in Sec... and that one seemed even more that it should have been in Apps. We have puzzling situations often, these days, where working groups "clearly belong" in more than one area, and the way things currently work, the IESG has to choose. ALTO might have been in RAI or App, was chartered in App, and now is in TSV. We've had a few recently chartered WGs where there was some debate about which area they belong in. I've thought for some time that we should have multi-area WGs, but that's not the case now. Don't pay too much attention to which AD manages the WG. Barry
- [OAUTH-WG] Security area review Eran Hammer-Lahav
- Re: [OAUTH-WG] Security area review Barry Leiba
- Re: [OAUTH-WG] Security area review Eran Hammer-Lahav
- Re: [OAUTH-WG] Security area review Richard L. Barnes
- Re: [OAUTH-WG] Security area review Barry Leiba
- Re: [OAUTH-WG] Security area review Hannes Tschofenig
- Re: [OAUTH-WG] Security area review Eran Hammer-Lahav