Re: [OAUTH-WG] What to do about 'realm'
Brian Eaton <beaton@google.com> Sun, 11 July 2010 06:55 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72EB33A693B for <oauth@core3.amsl.com>; Sat, 10 Jul 2010 23:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.537
X-Spam-Level:
X-Spam-Status: No, score=-105.537 tagged_above=-999 required=5 tests=[AWL=0.440, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcLjilPIWXWX for <oauth@core3.amsl.com>; Sat, 10 Jul 2010 23:55:42 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id DB87C3A6907 for <oauth@ietf.org>; Sat, 10 Jul 2010 23:55:41 -0700 (PDT)
Received: from kpbe17.cbf.corp.google.com (kpbe17.cbf.corp.google.com [172.25.105.81]) by smtp-out.google.com with ESMTP id o6B6tmFU013354 for <oauth@ietf.org>; Sat, 10 Jul 2010 23:55:48 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1278831348; bh=euvTe5JMZ4GNghIgfgp6zioAaOU=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=r2p3lnFH1vLiGyEQplyOsM90hb0+XCUF1hqQUkNEGdeVNT3XR/mnubDPO6ItYHtLS 8dky0D34ACQbHKR1d4s7g==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=V1dRUIBkt6hH/3dZuXYCz4yrQnvjS/5TFB5M+DwqildXgUtv5iYtWuy56hKl6FEnM NmtqF16al6Jg05qULlVfQ==
Received: from pwj9 (pwj9.prod.google.com [10.241.219.73]) by kpbe17.cbf.corp.google.com with ESMTP id o6B6tlu4010812 for <oauth@ietf.org>; Sat, 10 Jul 2010 23:55:47 -0700
Received: by pwj9 with SMTP id 9so2314961pwj.27 for <oauth@ietf.org>; Sat, 10 Jul 2010 23:55:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.232.13 with SMTP id e13mr14307781wfh.196.1278831346855; Sat, 10 Jul 2010 23:55:46 -0700 (PDT)
Received: by 10.142.193.19 with HTTP; Sat, 10 Jul 2010 23:55:46 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84ADE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84ADE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Sat, 10 Jul 2010 23:55:46 -0700
Message-ID: <AANLkTikLogvJAhE9LF60MDyEiqvpDM8WD8tSUr4fZLjP@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What to do about 'realm'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 06:55:43 -0000
On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > 1. Leave it as required under the definition of RFC 2617 (i.e. provide no > help, developers will need to ready 2617 and figure out what to do with it). > > 2. Update 2617 to remove the requirement – this is not going to be easy or > possible to predict success. > > 3. Provide specific guidance as to what to do with the realm parameter. > > 4. Something else. Let's do something else. We've made great progress on simplifying the spec and unifying the different formats to minimize the number of parsers and serializers that are needed. The www-authenticate header is one of the bits of nastiness left. Let's use a format like this: WWW-Authenticate: OAuth2 base64(<json>) Or even just: WWW-Authenticate: OAuth2 Seriously. There is some precedent for this. The Negotiate and NTLM schemes ditched the name="value" syntax, and they are widely implemented. This demonstrates two things: 1) dropping the name="value" syntax won't break the internet, because widely deployed schemes have already done it. 2) "realm" is not necessary in order to have a successful authentication protocol. As far as I can tell, there is no good reason for RFC 2617 to specify the syntax it does. It's convenient for digest auth, and kind of a pain everywhere else. So let's just drop it. Cheers, Brian
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Dick Hardt
- [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Lukas Rosenstock
- Re: [OAUTH-WG] What to do about 'realm' Pid
- Re: [OAUTH-WG] What to do about 'realm' William Mills
- Re: [OAUTH-WG] What to do about 'realm' Torsten Lodderstedt
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Brian Eaton
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Manger, James H
- Re: [OAUTH-WG] What to do about 'realm' Eve Maler
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' William Mills
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Brian Eaton
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav