Re: [OAUTH-WG] OAuth WRAP
John Panzer <jpanzer@google.com> Tue, 10 November 2009 22:38 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90E5D28C233 for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 14:38:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhRP4vXaHRzO for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 14:38:07 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.45.13]) by core3.amsl.com (Postfix) with ESMTP id 6A1143A6991 for <oauth@ietf.org>; Tue, 10 Nov 2009 14:38:07 -0800 (PST)
Received: from wpaz5.hot.corp.google.com (wpaz5.hot.corp.google.com [172.24.198.69]) by smtp-out.google.com with ESMTP id nAAMcYLX018426 for <oauth@ietf.org>; Tue, 10 Nov 2009 14:38:34 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257892714; bh=Z4mJgav0GFuW51HBz5HIVPPXG6A=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=pZrodQ4yAntkv7ASzRo3VUXujlZ4dubJArqf/h7iKdYNWgYU40yifL/5KJbH8uWU5 Bdzj08HiUf5WecW8U17rA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=VG/BZ+IfsVQFGrXs7KCOp5BdUY9LAVM+BuOHKjODOY14eIoIGBVysrGO4qbYdsgSE h5Erxevc65Ot2fDU8Zxyw==
Received: from pwj3 (pwj3.prod.google.com [10.241.219.67]) by wpaz5.hot.corp.google.com with ESMTP id nAAMcVkl002053 for <oauth@ietf.org>; Tue, 10 Nov 2009 14:38:31 -0800
Received: by pwj3 with SMTP id 3so313484pwj.39 for <oauth@ietf.org>; Tue, 10 Nov 2009 14:38:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.186.37 with SMTP id j37mr1371673waf.36.1257892710554; Tue, 10 Nov 2009 14:38:30 -0800 (PST)
In-Reply-To: <B1B9E4FC-0AF5-4357-B06F-F533C84F3C7D@microsoft.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net> <daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com> <B1B9E4FC-0AF5-4357-B06F-F533C84F3C7D@microsoft.com>
Date: Tue, 10 Nov 2009 14:38:30 -0800
Message-ID: <cb5f7a380911101438v2dab3dbas7ab4d40961544833@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
To: Dick Hardt <Dick.Hardt@microsoft.com>
Content-Type: multipart/alternative; boundary="0016e64ca4d82d9eb004780bf81d"
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>, oauth-wrap-wg <oauth-wrap-wg@googlegroups.com>
Subject: Re: [OAUTH-WG] OAuth WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 22:38:08 -0000
To clarify the distinctions between OAuth WRAP and OAuth 1.0a, the OAuth WRAP doc[1] Appendix C states the following: "OAuth WRAP requires the Authorization Server to support HTTPS, OAuth 1.0A does not." This is an important distinction, though I assume it applies only to the profile(s) supplied as part of WRAP and not to extension profile(s) that may be created. E.g., one could create a fourth profile which did not require HTTPs -- it just would not be as interoperable as the others, and servers and clients are not required to support it, but it would be otherwise compatible with WRAP if I understand correctly.) "The Access Token in OAuth WRAP is opaque to the Client. The Client does not need to perform any cryptography except for calling HTTPS." This is also important, but what is the difference between WRAP and OAuth 1.0A PLAINTEXT mode? They seem to be pretty much identical to me, if there is a difference it should be called out. "The Access Token in OAuth WRAP can contain authorization information, or claims, enabling the Protected Resource to determine the Client's authorization without querying any other resource." I don't understand this distinction; this sounds exactly like the OAuth 1.0a token. What am I missing? Best, John PS: Sorry for the munged text, that's what I get when I copy and paste from the PDF to ASCII, any chance of getting a plain text or HTML version of the spec? [1] http://oauth-wrap-wg.googlegroups.com/web/WRAP-v0.9.7.2.pdf On Tue, Nov 10, 2009 at 9:52 AM, Dick Hardt <Dick.Hardt@microsoft.com>wrote: > At IIW last week, myself, Biran Eaton from Google and Allen Tom from > Yahoo! presented what is now called OAuth WRAP > > The specs and discussion specific to those documents is at: > > http://groups.google.com/group/oauth-wrap-wg > > We plan to submit the document as an I-D next week when I-D submission > is open again, and for further work to occur in the IETF OAuth WG. > > -- Dick > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- -- John Panzer / Google jpanzer@google.com / abstractioneer.org / @jpanzer
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)