Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Dick Hardt <> Thu, 30 September 2010 19:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1BC793A6E4E for <>; Thu, 30 Sep 2010 12:07:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mSc3COxV8w11 for <>; Thu, 30 Sep 2010 12:07:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0505B3A6D84 for <>; Thu, 30 Sep 2010 12:07:34 -0700 (PDT)
Received: by pxi6 with SMTP id 6so782823pxi.31 for <>; Thu, 30 Sep 2010 12:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=UyTyCFGBe+pzfFBS5kUhavsCBbU63BendZon4Wi3aEY=; b=EvM50CC1LunBy9e2K+pndTe6lntKuPzseF3qH61LKUn3/7HqSrobYO//AeE7FJDOj2 IyaWBjWoBU22xu0aYlNVO+gaBKJ2uqLr9JesfIwVWDL70lZPwYv8YmfL3nQssnsD6Mv0 ph6BPeHlEWIQUdkfpIO7RRyVD/8isOHM8RKdE=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=xrktoK601T3V/e0t6myntsw5FmUoi1VNIeTzBkz5z7jZRXbj2pGpqnqPXRZvKWiwTV 5hnGkAkFv6jCMofKu5WqXTHs+GoYLX17VeKek8z/SmCjHoXCqwp+w5FcoxJCrfiG5VDD pFAIWUt/YCJc4ZIX1Xr8w6Dblz+z2hjxOYJS8=
Received: by with SMTP id i9mr1327408wff.220.1285873701315; Thu, 30 Sep 2010 12:08:21 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id t38sm192335wfc.21.2010. (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 30 Sep 2010 12:08:19 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D460DBD42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 30 Sep 2010 12:08:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E72343D460DBD42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <>
X-Mailer: Apple Mail (2.1081)
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Sep 2010 19:07:36 -0000

On 2010-09-30, at 11:33 AM, Eran Hammer-Lahav wrote:

>> -----Original Message-----
>> From: Dick Hardt []
>> Sent: Thursday, September 30, 2010 7:45 AM
>> The suggested change does not address the issue that myself and others had
>> raised with having signatures be in the core. The suggestion was that having
>> signatures be a different spec made them reusable by other groups and
>> enabled a more comprehensive signature specification. Having them in core
>> made them OAuth specific.
> Of course it does! It addresses it by keeping signature proposals as separate documents. This is exactly what you have been asking for!

No, that is not what I was asking for. You are breaking it on "using a token". Your proposal does not create an independent signing spec. As stated, I don't have a concern with signatures being part of OAuth,

> Now it is up to those working on each signature proposal to decided how generic they want to keep it.
>> I think there was consensus with those that had seen the advantage of a
>> different signature spec that including the OAuth 1.0A signature mechanism
>> in core and having a clear extension mechanism was a satisfactory direction.
>> This enables alternative algorithms to be specified
> There was no consensus! Mike Jones and Marius Scurtescu outright objected, Anthony Nadalin was not supportive, you and Lukas Rosenstock raised concerns, John Panzer suggested he might be ok with it, and Mark McGloin said it is worth trying. That's it.
> On the other hand, the proposal to break the specification has an overwhelming support: 13 people support it unconditionally, 2 raised concerns but are happy to give it a try, and 1 didn't see the point (but did not object). You are the only one with an actual objection (so far), and one which is pretty easy to test, and much faster than anything else suggested.
> Breaking the specification will take a few days and will let us judge these assertions in practice. I suggest we move forward with this proposal and revisit your objection later when we have actual documents to discuss. If the result will prove to be unreadable, we can always go revisit, and the IETF process will give you plenty of opportunities to voice your concerns.

If the WG is happy spending time on yet another experiment on moving around the content, please proceed.

You have not addressed my core point which is that the WG needs to come to agreement on which use cases are in scope, which I think is the underlying issue here. I think breaking the spec into 3 parts is just moving around deck chairs.

-- Dick