Re: [OAUTH-WG] OAuth WRAP
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 10 November 2009 21:16 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 902E03A6832 for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:16:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QIj0PXgSwE9 for <oauth@core3.amsl.com>; Tue, 10 Nov 2009 13:16:04 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 7F0863A6964 for <oauth@ietf.org>; Tue, 10 Nov 2009 13:16:04 -0800 (PST)
Received: (qmail 1494 invoked from network); 10 Nov 2009 21:16:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Nov 2009 21:16:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 10 Nov 2009 14:16:24 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Paul C. Bryan" <email@pbryan.net>, "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 10 Nov 2009 14:16:23 -0700
Thread-Topic: [OAUTH-WG] OAuth WRAP
Thread-Index: AcpiP/mtzwZ5h1wATZ2P8INHK1xq+gACxRPM
Message-ID: <C71F1827.28808%eran@hueniverse.com>
In-Reply-To: <1257883017.10242.5.camel@localhost>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C71F182728808eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 21:16:11 -0000
My 2c: WRAP was developed out of necessity due to limitations in OAuth and product release schedule. Without going into too much detail about whether a whole new protocol was really necessary, the WRAP authors felt that it was, and that their timeline could not accommodate waiting for the OAUTH WG to accommodate their use cases in the new version of the spec. We now have a new and separate spec in the space. I have encouraged the authors to submit their spec as input for the WG and to collaborate to make the upcoming WG spec cover their use case. The goal would be to render the separate WRAP spec unnecessary. How they or others would choose to apply this to their implementation is beyond my control or (TBH) interest. Most of the innovative ideas in WRAP are around the delegation flow (and there are some good ideas in there). I plan to use some of that as the basis for the new delegation spec. On the authentication side, WRAP uses bearer token with no crypto which will be supported by the PLAIN flavor. As for how to manage community expectations, the OAuth brand, etc.: I was opposed to putting WRAP under the OAuth brand (the entire effort started as "Simple OAuth"). Others felt that pretending WRAP was an OAuth profile (it is not) and naming it as such would be less confusing or less damaging to the OAuth brand (if you call it the same thing, there is no competition). I didn't care enough to (continue) that argument given my view that by the time WRAP will get the wide attention OAuth has, this WG will produce stable drafts of the new OAuth and will make this irrelevant. EHL On 11/10/09 11:56 AM, "Paul C. Bryan" <email@pbryan.net> wrote: I guess I must admit I'm a bit surprised that the general consensus would be to merge with/profile WRAP as OAuth, as the deltas between the two protocols as defined seems quite substantial. Does this mean that for all intents and purposes I should consider the existing OAuth IETF drafts to date to be deprecated in favour of WRAP? Paul On Tue, 2009-11-10 at 19:46 +0000, Dick Hardt wrote: > Good question. Given the positive reception WRAP received at IIW and > that capabilities in WRAP are expected to come out of the work in the > IETF OAuth WG, there was consensus from the OAuth community to include > WRAP as OAuth profiles. > > -- Dick > > On 2009-11-10, at 10:06 AM, "Paul C. Bryan" <email@pbryan.net> wrote: > > > Hi Dick: > > > > Given that WRAP is so different from OAuth (as I know it), other than > > the fact that OAuth could be used to negotiate the issuance of a WRAP > > refresh token, I'm curious why you chose to associate this with > > OAuth by > > giving it an "OAuth" prefix. It seems to me that it would only create > > confusion in this space. > > > > Paul > > > > On Tue, 2009-11-10 at 17:52 +0000, Dick Hardt wrote: > >> At IIW last week, myself, Biran Eaton from Google and Allen Tom from > >> Yahoo! presented what is now called OAuth WRAP > >> > >> The specs and discussion specific to those documents is at: > >> > >> http://groups.google.com/group/oauth-wrap-wg > >> > >> We plan to submit the document as an I-D next week when I-D > >> submission > >> is open again, and for further work to occur in the IETF OAuth WG. > >> > >> -- Dick > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)