Re: [OAUTH-WG] Basic signature support in the core specification
Dick Hardt <dick.hardt@gmail.com> Sat, 25 September 2010 05:38 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98C5E3A6907 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 22:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[AWL=-0.656, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YoT4PjWqPEmP for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 22:38:57 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by core3.amsl.com (Postfix) with ESMTP id D1D193A68BF for <oauth@ietf.org>; Fri, 24 Sep 2010 22:38:57 -0700 (PDT)
Received: by pzk6 with SMTP id 6so1040366pzk.31 for <oauth@ietf.org>; Fri, 24 Sep 2010 22:39:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=icaaDfgG7Xs7IiPhfZnuCh6qUkwKOMP59YME/oFUq/M=; b=w22bq9dZmcjRJ3iI7/Vi0wGEolZWSdCocoBKuT+/LzIRhfHn6eZUhIhrMGu/f4Bq0Y TYXwI2bJ6RTHEBq2nYeXoOr/VD7PHjhOmJQbBVN7391zGy0UATNlACaywS/k5wBnX815 KA0H53HEYB8DQcN9HGOeWudCdo302L0qa3Ies=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=fIGgokp61C+ac8TI9uwvdD/aDUJlXnMcFS3rQ05YaZhBa4cxcPJVWDHKVMyp+LUyJf UY4NRv4u3PunMpV/8Fi1XJM7W1Lbv/h02cVPCgjpaPe5wDd8wjUHKlxbok95HJ6ULR48 Lp5XfB5s2qjPcO84XFNdHbYDbqXxU7ER2St/k=
Received: by 10.114.120.6 with SMTP id s6mr4775138wac.10.1285393171098; Fri, 24 Sep 2010 22:39:31 -0700 (PDT)
Received: from [192.168.1.5] ([24.130.32.55]) by mx.google.com with ESMTPS id o17sm4977788wal.21.2010.09.24.22.39.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 24 Sep 2010 22:39:29 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/alternative; boundary="Apple-Mail-3--4195073"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <C8C2AB33.3AD38%eran@hueniverse.com>
Date: Fri, 24 Sep 2010 22:39:26 -0700
Message-Id: <BFD0447E-42BB-441F-A7B3-B0CFB0F6317B@gmail.com>
References: <C8C2AB33.3AD38%eran@hueniverse.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1081)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 05:38:59 -0000
wrt. developers knowing what they need => I think the AS / PR will tell developers if they need to use signatures, or if they need to use HTTPS, or if they need to use assertions. Sorry for including more than one topic in my email :: my main point was that I was confused by what Eve was proposing. -- Dick On 2010-09-24, at 7:23 PM, Eran Hammer-Lahav wrote: > Most developers don’t know if they need signatures! By putting them elsewhere we will be promoting the bearer token approve as the default choice and that’s unacceptable to me. It is promoting a specific security compromise (for developer ease) that is far from industry consensus. > > I can make the same arguments about assertions. Or any single profile. Or any client credentials type. The bits that are in are based solely on a team effort in trying to accommodate as many people as possible. Seems like those opposed signatures got everything they want, don’t really care about others, and are ready to call it a day. > > EHL > > > On 9/24/10 5:20 PM, "Dick Hardt" <dick.hardt@gmail.com> wrote: > > That's a confusing answer Eve. Is it in the spec or pointed to from the spec? > > I think there is consensus that there are enough use cases that signatures need to be spec'ed -- the question is if the signature spec is in core or a separate spec. > > For people that don't need signatures, having them separate keeps the core spec simpler. Having a separate spec enables other groups to reuse the signature mechanism without confusing their readers with the rest of the OAuth spec. > > On 2010-09-24, at 1:37 PM, Eve Maler wrote: > > > +1 for signature support in the core spec (which may look like normative pointers out to a separate spec module if it turns out there's wider usage for that module beyond OAuth). > > > > Eve > > > > On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote: > > > >> Since much of this recent debate was done off list, I'd like to ask people > >> to simply express their support or objection to including a basic signature > >> feature in the core spec, in line with the 1.0a signature approach. > >> > >> This is not a vote, just taking the temperature of the group. > >> > >> EHL > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > Eve Maler http://www.xmlgrrl.com/blog > > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Basic signature support in the core sp… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Bastian Hofmann
- Re: [OAUTH-WG] Basic signature support in the cor… George Fletcher
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Doreswamy, Rangan
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… David Recordon
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Nat
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Manger, James H
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- [OAUTH-WG] CORRECTION: Re: Basic signature suppor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Anthony Nadalin
- Re: [OAUTH-WG] CORRECTION: Re: Basic signature su… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer