IETF Logo Mail Archive

Re: [OAUTH-WG] What to do about 'realm'

"William Mills" <wmills@yahoo-inc.com> Mon, 12 July 2010 05:55 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E37A53A6A51 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 22:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.39
X-Spam-Level:
X-Spam-Status: No, score=-17.39 tagged_above=-999 required=5 tests=[AWL=-0.125, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNya-TI7ZbH5 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 22:55:43 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by core3.amsl.com (Postfix) with ESMTP id 432FC3A6A67 for <oauth@ietf.org>; Sun, 11 Jul 2010 22:55:36 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o6C5rMls020000; Sun, 11 Jul 2010 22:53:22 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:content-transfer-encoding:subject:date:message-id: in-reply-to:x-ms-has-attach:x-ms-tnef-correlator:thread-topic: thread-index:references:from:to:cc:x-originalarrivaltime; b=PhmXc39Zx7IhFi48bgD8PABBliEHoTOdPgbmCkOrNXAome++Bd77WvcyH4e4mCrb
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 11 Jul 2010 22:53:21 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 11 Jul 2010 22:53:20 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B6BBC@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <AANLkTikLogvJAhE9LF60MDyEiqvpDM8WD8tSUr4fZLjP@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] What to do about 'realm'
Thread-Index: AcsgxiyXZSK8vk89Q/eV4TGi3XOmmQAwASjw
References: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84ADE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTikLogvJAhE9LF60MDyEiqvpDM8WD8tSUr4fZLjP@mail.gmail.com>
From: William Mills <wmills@yahoo-inc.com>
To: Brian Eaton <beaton@google.com>, Eran Hammer-Lahav <eran@hueniverse.com>
X-OriginalArrivalTime: 12 Jul 2010 05:53:21.0973 (UTC) FILETIME=[891A5650:01CB2186]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] What to do about 'realm'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 05:55:46 -0000

 

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] 
> On Behalf Of Brian Eaton
> Sent: Saturday, July 10, 2010 11:56 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] What to do about 'realm'
> 
> On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav 
> <eran@hueniverse.com> wrote:
> > 1. Leave it as required under the definition of RFC 2617 
> (i.e. provide 
> > no help, developers will need to ready 2617 and figure out 
> what to do with it).
> >
> > 2. Update 2617 to remove the requirement - this is not going to be 
> > easy or possible to predict success.
> >
> > 3. Provide specific guidance as to what to do with the 
> realm parameter.
> >
> > 4. Something else.
> 
> Let's do something else.
> 
> We've made great progress on simplifying the spec and 
> unifying the different formats to minimize the number of 
> parsers and serializers that are needed.  The 
> www-authenticate header is one of the bits of nastiness left.
> 
> Let's use a format like this:
> 
> WWW-Authenticate: OAuth2 base64(<json>)

This will work for me in the SASL stuff for discovery information.

JSON as a name/value construct works as well as anythign else.

> 
> Or even just:
> 
> WWW-Authenticate: OAuth2

This won't really, and I'll have to stuff the discovery information
somwehre else.

I don't care what the real specifics of this are as long asn it's
extensible.
> 
> Seriously.
> 
> There is some precedent for this.  The Negotiate and NTLM 
> schemes ditched the name="value" syntax, and they are widely 
> implemented.
> This demonstrates two things:
> 1) dropping the name="value" syntax won't break the internet, 
> because widely deployed schemes have already done it.
> 2) "realm" is not necessary in order to have a successful 
> authentication protocol.
> 
> As far as I can tell, there is no good reason for RFC 2617 to 
> specify the syntax it does.  It's convenient for digest auth, 
> and kind of a pain everywhere else.
> 
> So let's just drop it.
> 
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.39.1 | Report a Bug | By Email | System Status