IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 1.0a

Hannes Tschofenig <hannes.tschofenig@nsn.com> Wed, 15 August 2012 06:26 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D2421F8687 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.605
X-Spam-Level:
X-Spam-Status: No, score=-105.605 tagged_above=-999 required=5 tests=[AWL=-1.003, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibpIxymIfUmC for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:26:56 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id BC21121F8683 for <oauth@ietf.org>; Tue, 14 Aug 2012 23:26:55 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6QsHP015315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Aug 2012 08:26:54 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6QsLc003217; Wed, 15 Aug 2012 08:26:54 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 15 Aug 2012 08:26:54 +0200
Received: from 10.144.250.187 ([10.144.250.187]) by FIESEXC035.nsn-intra.net ([10.159.0.182]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Wed, 15 Aug 2012 06:26:52 +0000
User-Agent: Microsoft-Entourage/12.33.0.120411
Date: Wed, 15 Aug 2012 09:26:48 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: William Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-ID: <CC511BD8.8908%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] OAuth 1.0a
Thread-Index: Ac16rvLMhl3vRRcCDUqid4/Wc1ilhw==
In-Reply-To: <1345011050.82572.YahooMailNeo@web31813.mail.mud.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3427867610_26668852"
X-OriginalArrivalTime: 15 Aug 2012 06:26:54.0085 (UTC) FILETIME=[F66D0350:01CD7AAE]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 10500
X-purgate-ID: 151667::1345012014-00003184-C3BF1A63/0-0/0-0
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:26:59 -0000

Hi Bill, 

I know that you can reference many specifications.

I already see you being referenced by Eran in an upcoming blog post about
the complexity and the lack of interoperability you have added even to SASL
Oauth ;-)

Ciao
Hannes


On 8/15/12 9:10 AM, "ext William Mills" <wmills_92105@yahoo.com> wrote:

> You are mistaken, I cite MAC directly right now, but now that it is up in the
> air I would much rather rely on 3 specs (Oauth 2 core, Bearer, and 1.0a) than
> refer to MAC when I think I can do without MAC and use 1.0a instead.  MAC is
> now in flux again, the other 3 are stable or already standards.
> 
> I think you also mistaken that we can't support 1.0a and OAuth 2 tokens in the
> same SASL mechanism.  Why do you think this is true?
> 
>   
>  
>  
>   
> 
>   From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
>  To: William Mills <wmills_92105@yahoo.com>
> Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Mike Jones
> <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org>
>  Sent: Tuesday, August 14, 2012 10:48 PM
>  Subject: Re: [OAUTH-WG] OAuth 1.0a
>   
>  
> FYI: just to repeat my note here as well that I sent to Bill on the KITTEN
> list:
> 
> I see three possible ways forward for the OAuth SASL work, namely:
> 
>> >     € Focus on Oauth 1.0 only (since it has a MAC specification in there).
>> Then, you ignore all the Oauth 2.0 deployment that is out there, of which
>> there is a lot. That would be pretty bad IMHO.
>> >     € Copy relevant parts from
>> http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 (of which there is
>> almost no deployment).
>> >     € Wait for the Oauth group to settle on a mechanism. May take time.
> 
> 
> I doubt that the question about the views of the WG about OAuth 1.0a can
> answer any of the above questions.
> 
> Bill does not want to wait. He also does not want to copy parts from
> draft-ietf-oauth-v2-http-mac-01 into the SASL OAuth spec. Focusing on OAuth
> 1.0 for now would require the specification to be extended later on to fit to
> OAuth 2.0 deployments (and whatever new security mechanism we will come up
> with). As a consequence, the specification will then suffer from additional
> complexity. 
> 
> Ciao
> Hannes
> 
> On Aug 14, 2012, at 10:37 PM, William Mills wrote:
> 
>> > It's for the OAUTH SASL spec.  I've been writing it with the idea that
>> OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we
>> want to allow for IMAP), but several folks were saying when this all started
>> that 1.0a was dead and I should not refer to it.
>> > 
>> > I want to make sure the SASL mechanism is build to properly handle signed
>> auth schemes and not just bearer (cookie) type.
>> > 
>> > -bill
>> > 
>> > From: Mike Jones <Michael.Jones@microsoft.com>
>> > To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org>
>> > Sent: Tuesday, August 14, 2012 12:28 PM
>> > Subject: RE: [OAUTH-WG] OAuth 1.0a
>> > 
>> > What problem are you trying to solve?
>> >  
>> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
>> William Mills
>> > Sent: Tuesday, August 14, 2012 12:22 PM
>> > To: O Auth WG
>> > Subject: [OAUTH-WG] OAuth 1.0a
>> >  
>> > What's the general opinion on 1.0a?  Am I stepping in something if I refer
>> to it in another draft?  I want to reference an auth scheme that uses signing
>> and now MAC is apparently going back to the drawing board, so I'm thinking
>> about using 1.0a.
>> >  
>> > Thanks,
>> >  
>> > -bill
>> > 
>> > 
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
>  
>  
>   
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email