Re: [OAUTH-WG] OAuth 1.0a
Hannes Tschofenig <hannes.tschofenig@nsn.com> Wed, 15 August 2012 06:26 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D2421F8687 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.605
X-Spam-Level:
X-Spam-Status: No, score=-105.605 tagged_above=-999 required=5 tests=[AWL=-1.003, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibpIxymIfUmC for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:26:56 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id BC21121F8683 for <oauth@ietf.org>; Tue, 14 Aug 2012 23:26:55 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6QsHP015315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Aug 2012 08:26:54 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6QsLc003217; Wed, 15 Aug 2012 08:26:54 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 15 Aug 2012 08:26:54 +0200
Received: from 10.144.250.187 ([10.144.250.187]) by FIESEXC035.nsn-intra.net ([10.159.0.182]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Wed, 15 Aug 2012 06:26:52 +0000
User-Agent: Microsoft-Entourage/12.33.0.120411
Date: Wed, 15 Aug 2012 09:26:48 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: William Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-ID: <CC511BD8.8908%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] OAuth 1.0a
Thread-Index: Ac16rvLMhl3vRRcCDUqid4/Wc1ilhw==
In-Reply-To: <1345011050.82572.YahooMailNeo@web31813.mail.mud.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3427867610_26668852"
X-OriginalArrivalTime: 15 Aug 2012 06:26:54.0085 (UTC) FILETIME=[F66D0350:01CD7AAE]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 10500
X-purgate-ID: 151667::1345012014-00003184-C3BF1A63/0-0/0-0
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:26:59 -0000
Hi Bill, I know that you can reference many specifications. I already see you being referenced by Eran in an upcoming blog post about the complexity and the lack of interoperability you have added even to SASL Oauth ;-) Ciao Hannes On 8/15/12 9:10 AM, "ext William Mills" <wmills_92105@yahoo.com> wrote: > You are mistaken, I cite MAC directly right now, but now that it is up in the > air I would much rather rely on 3 specs (Oauth 2 core, Bearer, and 1.0a) than > refer to MAC when I think I can do without MAC and use 1.0a instead. MAC is > now in flux again, the other 3 are stable or already standards. > > I think you also mistaken that we can't support 1.0a and OAuth 2 tokens in the > same SASL mechanism. Why do you think this is true? > > > > > > > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> > To: William Mills <wmills_92105@yahoo.com> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Mike Jones > <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org> > Sent: Tuesday, August 14, 2012 10:48 PM > Subject: Re: [OAUTH-WG] OAuth 1.0a > > > FYI: just to repeat my note here as well that I sent to Bill on the KITTEN > list: > > I see three possible ways forward for the OAuth SASL work, namely: > >> > Focus on Oauth 1.0 only (since it has a MAC specification in there). >> Then, you ignore all the Oauth 2.0 deployment that is out there, of which >> there is a lot. That would be pretty bad IMHO. >> > Copy relevant parts from >> http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 (of which there is >> almost no deployment). >> > Wait for the Oauth group to settle on a mechanism. May take time. > > > I doubt that the question about the views of the WG about OAuth 1.0a can > answer any of the above questions. > > Bill does not want to wait. He also does not want to copy parts from > draft-ietf-oauth-v2-http-mac-01 into the SASL OAuth spec. Focusing on OAuth > 1.0 for now would require the specification to be extended later on to fit to > OAuth 2.0 deployments (and whatever new security mechanism we will come up > with). As a consequence, the specification will then suffer from additional > complexity. > > Ciao > Hannes > > On Aug 14, 2012, at 10:37 PM, William Mills wrote: > >> > It's for the OAUTH SASL spec. I've been writing it with the idea that >> OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we >> want to allow for IMAP), but several folks were saying when this all started >> that 1.0a was dead and I should not refer to it. >> > >> > I want to make sure the SASL mechanism is build to properly handle signed >> auth schemes and not just bearer (cookie) type. >> > >> > -bill >> > >> > From: Mike Jones <Michael.Jones@microsoft.com> >> > To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org> >> > Sent: Tuesday, August 14, 2012 12:28 PM >> > Subject: RE: [OAUTH-WG] OAuth 1.0a >> > >> > What problem are you trying to solve? >> > >> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of >> William Mills >> > Sent: Tuesday, August 14, 2012 12:22 PM >> > To: O Auth WG >> > Subject: [OAUTH-WG] OAuth 1.0a >> > >> > What's the general opinion on 1.0a? Am I stepping in something if I refer >> to it in another draft? I want to reference an auth scheme that uses signing >> and now MAC is apparently going back to the drawing board, so I'm thinking >> about using 1.0a. >> > >> > Thanks, >> > >> > -bill >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a Justin Richer
- Re: [OAUTH-WG] OAuth 1.0a Dick Hardt
- Re: [OAUTH-WG] OAuth 1.0a Ryan Troll
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig