Re: [OAUTH-WG] conf call follow up from today

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 04 February 2013 21:42 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45EFD21F8528 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 13:42:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.295
X-Spam-Level:
X-Spam-Status: No, score=-3.295 tagged_above=-999 required=5 tests=[AWL=0.304, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DG7FaKJZ8DI for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 13:42:41 -0800 (PST)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4F321F85B4 for <oauth@ietf.org>; Mon, 4 Feb 2013 13:42:41 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id hi18so2240746wib.15 for <oauth@ietf.org>; Mon, 04 Feb 2013 13:42:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=4Cn2FPgMfA1AQwkEe6nGNmiXVZh4AwtIa9B+rxAmthU=; b=ocvWLZ8nHLHe5tundQjFSn/JLPAsBMxDKqO6TrR/RbfTGQ0AOYBYeqq/zVy8Jqsq3l inGKkzMMz5N3gzwMHNc5GImq6kPF7b8JbtfYQok3Usp9uvkbtBS9nknu439kmON51Ylk bV1fCdxGJTGpcPliZDaPbL0nZpvFi11kEJR4nLg7eCaZZg94EYLFLD7n4ZgXH5GKnLlX KiwO5MZ7UWH8GQvX4CY6mSsPsFtVFqiEXW9Dh6BKOl2PMmMCRt1P9E3pYctuA+r0SBeq Hhbf3eCDHYHXgoFVL/zJcAe66rHF5KS4r5eVqjYBZDvgsVPS06DZBIVm41U83ZKKU9Yj YXIg==
X-Received: by 10.180.73.212 with SMTP id n20mr12920640wiv.11.1360014160588; Mon, 04 Feb 2013 13:42:40 -0800 (PST)
Received: from [192.168.2.5] ([89.100.140.13]) by mx.google.com with ESMTPS id eo10sm24167979wib.9.2013.02.04.13.42.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 04 Feb 2013 13:42:39 -0800 (PST)
Message-ID: <51102B30.2010506@gmail.com>
Date: Mon, 04 Feb 2013 21:42:08 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <1360009331.12021.YahooMailNeo@web31801.mail.mud.yahoo.com>
In-Reply-To: <1360009331.12021.YahooMailNeo@web31801.mail.mud.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] conf call follow up from today
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 21:42:42 -0000

On 04/02/13 20:22, William Mills wrote:
> 1) I think that we need to focus on specific solutions, as I said on the
> call, and solve the OAuth 1.0a/MAC use case. There's significant
> installed base of OAuth 1.0a and we need a path for those installations
> into OAuth 2.0.
+1.

> I may well pursue MAC in the interim to do this,

I can help with some testing if/when needed...

Sergey

> but a
> full HOK solution woul work too.
>
> 2) I think the discussion we were having about "which authenticator to
> use" falls squarely into the endpoint discovery discussion and we should
> put that energy into endpoint discovery as distinct from HOK.
>
> 3) We haven't talked yet about how a client will be able to specify a
> token type if it wants a specific one. OAuth 2 core will need to be
> extended to support this.
>
> 4) We should leave the key distribution/discovery mechanism either out
> of scope or define it explicitly per HOK token type profile. This will
> have to work with the extensions for #3 above.
>
> 5) I want to avoid the problem in OAuth 1.0a of having to support and
> accept every possible signing mode. Being force to accept PLAINTEXT
> sucks. We need a way for the discovery endpoint to mandate a specific
> set of allowed signature methods.
>
> Regards,
>
> -bill
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth