Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
Mike Jones <Michael.Jones@microsoft.com> Thu, 17 November 2011 08:32 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB3321F995D for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:32:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.316
X-Spam-Level:
X-Spam-Status: No, score=-10.316 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYkZ+zCpMylS for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:32:50 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 977BA21F995B for <oauth@ietf.org>; Thu, 17 Nov 2011 00:32:50 -0800 (PST)
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (157.54.7.153) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 00:32:50 -0800
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.172]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.01.0355.003; Thu, 17 Nov 2011 00:32:50 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
Thread-Index: AcylA3xOv1mPWlVvR+6FueyJKdY3og==
Date: Thu, 17 Nov 2011 08:32:49 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 08:32:51 -0000
Terminology correction: This discussion was actually about HTTP authentication schemes (Bearer, MAC, etc.), not token types (JWT, SAML, etc.). I've changed the subject line of the thread accordingly. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Barry Leiba Sent: Thursday, November 17, 2011 12:29 AM To: oauth WG Subject: [OAUTH-WG] Mandatory-to-implement token type Stephen, as AD, brought up the question of mandatory-to-implement token types, in the IETF 82 meeting. There was some extended discussion on the point: - Stephen is firm in his belief that it's necessary for interoperability. He notes that mandatory to *implement* is not the same as mandatory to *use*. - Several participants believe that without a mechanism for requesting or negotiating a token type, there is no value in having any type be mandatory to implement. Stephen is happy to continue the discussion on the list, and make his point clear. In any case, there was clear consensus in the room that we *should* specify a mandatory-to-implement type, and that that type be bearer tokens. This would be specified in the base document, and would make a normative reference from the base doc to the bearer token doc. We need to confirm that consensus on the mailing list, so this starts the discussion. Let's work on resolving this over the next week or so, and moving forward: 1. Should we specify some token type as mandatory to implement? Why or why not (*briefly*)? 2. If we do specify one, which token type should it be? Barry, as chair _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Matt Miller
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Anthony Nadalin
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… John Bradley
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… William Mills