[OAUTH-WG] Reviewing draft-ietf-oauth-v2-21
Barry Leiba <barryleiba@computer.org> Wed, 07 September 2011 15:57 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 426A921F8C97 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 08:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.023
X-Spam-Level:
X-Spam-Status: No, score=-103.023 tagged_above=-999 required=5 tests=[AWL=-0.046, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFlYLgCaF8Mx for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 08:57:21 -0700 (PDT)
Received: from mail-gx0-f181.google.com (mail-gx0-f181.google.com [209.85.161.181]) by ietfa.amsl.com (Postfix) with ESMTP id AF07421F8C95 for <oauth@ietf.org>; Wed, 7 Sep 2011 08:57:21 -0700 (PDT)
Received: by gxk9 with SMTP id 9so6491157gxk.40 for <oauth@ietf.org>; Wed, 07 Sep 2011 08:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=etLzfZ9CASWHPUDPqZuYfh7dtN7gZHh8nmFvXTeAOow=; b=lGj7HyuT2T5aVV1E5J5zPGhFU/OS7mjrg6O8blIiAPZlhX0FO7kVDzDPz57SjRLF9f LeK2C3btB7Tp5U/33Y3RjNoce5wpu0LNG8nbeWffxn03GibkPqpxlnTOzn9g8F36Qw5R I30op9gbKSAiXYWdQNEFH3otEfeVTF2JxxKhk=
MIME-Version: 1.0
Received: by 10.236.181.137 with SMTP id l9mr28272560yhm.56.1315411150729; Wed, 07 Sep 2011 08:59:10 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.236.203.68 with HTTP; Wed, 7 Sep 2011 08:59:10 -0700 (PDT)
Date: Wed, 07 Sep 2011 11:59:10 -0400
X-Google-Sender-Auth: rKGtJhEM4LHWjMb1d4hWOjR2jmo
Message-ID: <CALaySJJwhNXH19uOK+Cdy_WoJmfAN0msrPE2edFZHYbZCmRXYA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] Reviewing draft-ietf-oauth-v2-21
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 15:57:22 -0000
As you've all probably seen, Eran has posted version 21 of the OAuth base spec, in which he believes he's addressed all comments and issues that came up in the review of version 20. We should be ready to send this to the IESG. Everyone who had comments or issues, please review -21 and make sure that your concerns have been handled to your satisfaction (or that there was no consensus to make a change). And we encourage everyone to review the changes from -20 to -21, to make sure Eran didn't inadvertently break anything along the way. The -21 is here: http://tools.ietf.org/html/draft-ietf-oauth-v2-21 And diffs from -20 can be found here: http://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-21.txt We'll give it until the end of next week, while I work on the shepherd writeup. Comments, please, by 16 September. A few affirmative notes saying, "Yes, I reviewed it and it looks good," will also be helpful. Keep in mind, as you review, that pet changes are out of scope at this point. We're just reviewing -21 to make sure (1) it doesn't break anything from -20, and (2) it isn't missing anything that was brought up in WGLC. New issues will have to be very serious, indeed, in order to be considered now. Also, a note on the thread that Mike Thomas started about the OAuth problem statement and threats: I did encourage him to start the discussion, and I think it can be a useful conversation. I do NOT think it will or should result in a change to the base spec, but it might feed into the threat model document (draft-ietf-oauth-v2-threatmodel), as Torsten, et al, move that toward completion. Remember that the base spec encourages readers to refer to the threat model document for more detailed descriptions of threats and attacks. Barry, as chair
- Re: [OAUTH-WG] Reviewing draft-ietf-oauth-v2-21 Phillip Hunt
- [OAUTH-WG] Reviewing draft-ietf-oauth-v2-21 Barry Leiba
- Re: [OAUTH-WG] Reviewing draft-ietf-oauth-v2-21 Torsten Lodderstedt