Re: [OAUTH-WG] Mandatory-to-implement token type
Blaine Cook <romeda@gmail.com> Fri, 02 December 2011 13:10 UTC
Return-Path: <romeda@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771ED21F9912 for <oauth@ietfa.amsl.com>; Fri, 2 Dec 2011 05:10:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rXR8CbJiWkV for <oauth@ietfa.amsl.com>; Fri, 2 Dec 2011 05:10:28 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 621E921F9837 for <oauth@ietf.org>; Fri, 2 Dec 2011 05:10:28 -0800 (PST)
Received: by ggnp4 with SMTP id p4so3495732ggn.31 for <oauth@ietf.org>; Fri, 02 Dec 2011 05:10:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=FdcALfY8rEwFJkDcflPvia/Udftfz5w7eb3DrnuUOaQ=; b=YzVXAmEXKvAyPm1MBLsnB5DX+Q1giqmVnPZfK8WQoaBL5YLk+bhWVMAvKJ9ayGi2Nj VyA9FxQfGGL6uRboWvUgfZLWyn9126V2d+kWSPs1yWBlifZw/89tS5/40G7hWJ+9DvgX oH+2ccNe32yJ223pGix0SxlNZrXEEh1Kf82GM=
Received: by 10.182.5.166 with SMTP id t6mr2328536obt.2.1322831409320; Fri, 02 Dec 2011 05:10:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.114.68 with HTTP; Fri, 2 Dec 2011 05:09:48 -0800 (PST)
In-Reply-To: <CALaySJLKYLpPWc14_GUJKc5j1E3QovKQOx9HsdR-n2YV7kstpQ@mail.gmail.com>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com> <CAH-8B6sjim_tcBkTPFWc1SnjhtHDQTR7sVT+aOjnYv7cs8JssA@mail.gmail.com> <4ED82D62.3070800@cs.tcd.ie> <CALaySJLKYLpPWc14_GUJKc5j1E3QovKQOx9HsdR-n2YV7kstpQ@mail.gmail.com>
From: Blaine Cook <romeda@gmail.com>
Date: Fri, 02 Dec 2011 13:09:48 +0000
Message-ID: <CAAz=scmqt5qt5xyHNr6SKpBkqy5kJ1vpdJR6eaPvq8NouNBUxA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 13:10:29 -0000
On 2 December 2011 03:20, Barry Leiba <barryleiba@computer.org> wrote: > Stephen is thinking that code will be reused. Perhaps there'll be a > limited number of coded toolkits, and their code will be used to > implement various authorization servers, etc. That's the way a lot of > Internet code is done today. In that case, Stephen posits, if we tell > the toolkit writers that they MUST implement X, then at least when X > is being used, implementations based on the different toolkits can > always interoperate. Lacking that directive, a toolkit that only > implements X will be unable to interoperate with a toolkit that only > implements Y. My $0.02 (tl;dr: I agree with Barry): Libraries are the point of code re-use for OAuth at the moment. If two libraries (e.g., "Ruby OAuth" and "Java OAuth") implement all the necessary bits of OAuth, then people using those libraries can expect (or hope for) interop. We cannot force compliance, but we can mandate it. If a service provider chooses to allow only a subset of OAuth's functionality, and a general-purpose tool (i.e., NOT a library, though perhaps written using a library) doesn't support that subset, then obviously the implementations are not interoperable. However, more likely than not, tools are designed to be used against specific service providers OR other standards (which would in either case mandate the way(s) in which to use OAuth). SO, having Mandatory to Implement schemes in the general sense is pointless. BUT, having BOTH Bearer and MAC be Mandatory to Implement for general-purpose libraries IS useful, and will help interop (assuming library authors bother to follow the spec). b.
- [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Phil Hunt
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Bart Wiegmans
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- [OAUTH-WG] Fwd: Re: Mandatory-to-implement token … Justin Richer
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Richer, Justin P.
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Dan Taflin
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type John Bradley
- Re: [OAUTH-WG] Mandatory-to-implement token type Anthony Nadalin
- Re: [OAUTH-WG] Mandatory-to-implement token type Paul Madsen
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Marius Scurtescu
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell