Re: [OAUTH-WG] MAC Tokens body hash

Eran Hammer-Lahav <> Wed, 03 August 2011 00:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6089611E80F2 for <>; Tue, 2 Aug 2011 17:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.562
X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2N1LeoCYa7G0 for <>; Tue, 2 Aug 2011 17:55:19 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 7807911E80D9 for <>; Tue, 2 Aug 2011 17:55:19 -0700 (PDT)
Received: (qmail 11415 invoked from network); 3 Aug 2011 00:55:25 -0000
Received: from unknown (HELO ( by with SMTP; 3 Aug 2011 00:55:25 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Tue, 2 Aug 2011 17:55:14 -0700
From: Eran Hammer-Lahav <>
To: Barry Leiba <>
Date: Tue, 02 Aug 2011 17:54:24 -0700
Thread-Topic: [OAUTH-WG] MAC Tokens body hash
Thread-Index: AcxRdEJi7i0ybwY8QVyNE8gAE9IwpQAAOhcQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723450245F661F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E723450245F61F2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E723450245F63D7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Aug 2011 00:55:20 -0000

Yes, tone is important and I agree that this is a working group document and should follow process.

This draft has shown practically no interest from this working group (last count it was 3 people other than me). If there was no requirement from the AD to include this as part of the OAuth 2.0 "package", it would have stayed as an individual submission.

Given that this is largely my work (to-date) and that the working group engagement is almost non-existent, moving forward is more likely going to come from me putting forward proposals in the document with [[ Pending Consensus ]] labels than from trying to get engagement. Unless the chairs are going to actively poke the group to engage (which I have seen no sign of), I'm not expecting much to change.

At this point we have established the practice of suggesting text within the document itself as long as it is clearly marked and we have an open issue in the tracker. I'm going to follow that practice and make the proposed changes in order to move things along at a practical pace. I'll also adjust my tone to address any concerns.


> -----Original Message-----
> From:
> [] On Behalf Of Barry Leiba
> Sent: Tuesday, August 02, 2011 5:28 PM
> To: Eran Hammer-Lahav
> Cc: Phil Hunt; William J. Mills; OAuth WG
> Subject: Re: [OAUTH-WG] MAC Tokens body hash
> On Tue, Aug 2, 2011 at 2:22 AM, Eran Hammer-Lahav
> <> wrote:
> > I am going to drop both 'bodyhash' and 'ext', and instead add 'app'. 'app'
> > allows you to include any data you want. 'ext' without an internal
> > format and register is just asking for trouble, and I have no
> > intention of adding that level of complexity. There are other
> > proposals in the IETF for full HTTP message signatures, and I'll leave
> > these more complex use cases to them.
> >
> > If you can demonstrate actual need (with examples) of both 'app' and
> > 'ext', I'm willing to reconsider but you can clearly accomplish the
> > same end result with just one, application-specific parameter.
> Just a word of process stuff, here: draft-ietf-oauth-v2-http-mac is a working
> group document, not an individual submission.  That means that the working
> group decides what gets changed, and we need to see consensus to make a
> change like this.  "I am going to", "I have no intention of", and "I'm willing to
> reconsider" aren't appropriate.
> It might be that making this change is the right thing to do, but so far we have
> no one voicing support for the change (Skylar responded favourably to the
> initial message, but no one's supported removing "ext" in favour of "app").
> Let's have more discussion before any decisions are made.  And, in general,
> for all documents, let's please have editors making suggestions, not
> pronouncements.  Tone is important.
> Barry, as chair