Re: [OAUTH-WG] MAC Tokens body hash

Barry Leiba <> Wed, 03 August 2011 00:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1169D11E810F for <>; Tue, 2 Aug 2011 17:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.054
X-Spam-Status: No, score=-103.054 tagged_above=-999 required=5 tests=[AWL=-0.077, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P0R5J6Fx8OMh for <>; Tue, 2 Aug 2011 17:28:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 79AEC11E810E for <>; Tue, 2 Aug 2011 17:28:15 -0700 (PDT)
Received: by gyd5 with SMTP id 5so215943gyd.31 for <>; Tue, 02 Aug 2011 17:28:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=G9Jrmca4LifFi+xVL+Y3IuGN1M65q+vvHdeULsfVCYU=; b=M3j2y9Pu25TzW5TZan0yu6eOIU5GLrn1myCCrg3zn2ykk6YKxPbimeChePHGNSLTyG dpAOzwN90F4rlmSL3MIy/3+azl49tV/KT7b1na1XG1Ls0hOg4Iz9NNNJ/DEQ10c+tOwH a3tOc9xX2p2rbQ7V+dxjfa9fRI+QkMN8Hqj9E=
MIME-Version: 1.0
Received: by with SMTP id b61mr30671yhn.482.1312331304621; Tue, 02 Aug 2011 17:28:24 -0700 (PDT)
Received: by with HTTP; Tue, 2 Aug 2011 17:28:24 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723450245F63D7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E723450245F61F2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E723450245F63D7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 02 Aug 2011 20:28:24 -0400
X-Google-Sender-Auth: L6irRFyjWuzsXtFnDWveixWuURE
Message-ID: <>
From: Barry Leiba <>
To: Eran Hammer-Lahav <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Aug 2011 00:28:16 -0000

On Tue, Aug 2, 2011 at 2:22 AM, Eran Hammer-Lahav <> wrote:
> I am going to drop both ‘bodyhash’ and ‘ext’, and instead add ‘app’. ‘app’
> allows you to include any data you want. ‘ext’ without an internal format
> and register is just asking for trouble, and I have no intention of adding
> that level of complexity. There are other proposals in the IETF for full
> HTTP message signatures, and I’ll leave these more complex use cases to
> them.
> If you can demonstrate actual need (with examples) of both ‘app’ and ‘ext’,
> I’m willing to reconsider but you can clearly accomplish the same end result
> with just one, application-specific parameter.

Just a word of process stuff, here: draft-ietf-oauth-v2-http-mac is a
working group document, not an individual submission.  That means that
the working group decides what gets changed, and we need to see
consensus to make a change like this.  "I am going to", "I have no
intention of", and "I'm willing to reconsider" aren't appropriate.

It might be that making this change is the right thing to do, but so
far we have no one voicing support for the change (Skylar responded
favourably to the initial message, but no one's supported removing
"ext" in favour of "app").  Let's have more discussion before any
decisions are made.  And, in general, for all documents, let's please
have editors making suggestions, not pronouncements.  Tone is

Barry, as chair