Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

[Dick Hardt <dick.hardt@gmail.com>]

On 2010-09-30, at 11:33 AM, Eran Hammer-Lahav wrote:

>> -----Original Message-----
>> From: Dick Hardt [mailto:dick.hardt@gmail.com]
>> Sent: Thursday, September 30, 2010 7:45 AM
> 
>> The suggested change does not address the issue that myself and others had
>> raised with having signatures be in the core. The suggestion was that having
>> signatures be a different spec made them reusable by other groups and
>> enabled a more comprehensive signature specification. Having them in core
>> made them OAuth specific.
> 
> Of course it does! It addresses it by keeping signature proposals as separate documents. This is exactly what you have been asking for!

No, that is not what I was asking for. You are breaking it on "using a token". Your proposal does not create an independent signing spec. As stated, I don't have a concern with signatures being part of OAuth,

> Now it is up to those working on each signature proposal to decided how generic they want to keep it.
> 
>> I think there was consensus with those that had seen the advantage of a
>> different signature spec that including the OAuth 1.0A signature mechanism
>> in core and having a clear extension mechanism was a satisfactory direction.
>> This enables alternative algorithms to be specified
> 
> There was no consensus! Mike Jones and Marius Scurtescu outright objected, Anthony Nadalin was not supportive, you and Lukas Rosenstock raised concerns, John Panzer suggested he might be ok with it, and Mark McGloin said it is worth trying. That's it.
> 
> On the other hand, the proposal to break the specification has an overwhelming support: 13 people support it unconditionally, 2 raised concerns but are happy to give it a try, and 1 didn't see the point (but did not object). You are the only one with an actual objection (so far), and one which is pretty easy to test, and much faster than anything else suggested.
> 
> Breaking the specification will take a few days and will let us judge these assertions in practice. I suggest we move forward with this proposal and revisit your objection later when we have actual documents to discuss. If the result will prove to be unreadable, we can always go revisit, and the IETF process will give you plenty of opportunities to voice your concerns.

If the WG is happy spending time on yet another experiment on moving around the content, please proceed.

You have not addressed my core point which is that the WG needs to come to agreement on which use cases are in scope, which I think is the underlying issue here. I think breaking the spec into 3 parts is just moving around deck chairs.

-- Dick