IETF Logo Mail Archive

Re: [OAUTH-WG] Basic signature support in the core specification

John Panzer <jpanzer@google.com> Fri, 24 September 2010 23:26 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B22E3A6B31 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 16:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.647
X-Spam-Level:
X-Spam-Status: No, score=-104.647 tagged_above=-999 required=5 tests=[AWL=1.329, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrR+ToAMeSFe for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 16:26:31 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id C40EA3A69A8 for <oauth@ietf.org>; Fri, 24 Sep 2010 16:26:30 -0700 (PDT)
Received: from hpaq2.eem.corp.google.com (hpaq2.eem.corp.google.com [172.25.149.2]) by smtp-out.google.com with ESMTP id o8ONR2l8009355 for <oauth@ietf.org>; Fri, 24 Sep 2010 16:27:02 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285370822; bh=lecRSPQG9J4yUXG5xr7hF5Zao+8=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Q40rYepZV0ALCVhzpPjYR+VgqcPC1aFTqoQhNFGeYFLvqnCGBhqrMMFRPEVKooSVe lGOd3lABjFOtC2IHu1nAQ==
Received: from pva18 (pva18.prod.google.com [10.241.209.18]) by hpaq2.eem.corp.google.com with ESMTP id o8ONR0x8017507 for <oauth@ietf.org>; Fri, 24 Sep 2010 16:27:01 -0700
Received: by pva18 with SMTP id 18so2354082pva.2 for <oauth@ietf.org>; Fri, 24 Sep 2010 16:27:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=KMUpVtla/0cdPueZUlGPQ9F6xMCw8oFt+2rWfTdGdq0=; b=ZzfUHt52/f8FvCCMKjIIe1GwpVPfQR+BAre3TUZmyam+Fz+x3fogUWpUVk1f8rhLIw 5Jbxu/2XbkixcHB/CmZQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=xlRW2++UMDvc4UN//OjixPRRYERXUcmJkuy4vbNXY413YEnIUNh+canyVZaeMMH8sM DmwRXdXqw2B/A7RwbAow==
Received: by 10.142.7.29 with SMTP id 29mr2618532wfg.82.1285370820013; Fri, 24 Sep 2010 16:27:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Fri, 24 Sep 2010 16:26:39 -0700 (PDT)
In-Reply-To: <C8C15057.3AC64%eran@hueniverse.com>
References: <C8C15057.3AC64%eran@hueniverse.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 24 Sep 2010 16:26:39 -0700
Message-ID: <AANLkTinbdA_SGt_h2J3H25A2unCPe7+1=uxgkaNXrMq8@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00504502aca821ba3c049109b773"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 23:26:32 -0000

-1 on requiring it to be part of core OAuth2.  Reasoning: It won't be a MUST
or even SHOULD requirement for either client or server, so adding it later
does not affect interop.  The actual schedule to finalize the signature
mechanism should not be affected either way -- it's fine for a WG to produce
2 or more RFCs if that's the right thing to do.  (If there were consensus
today on what exactly the signing mechanism should be I'd think differently,
but I don't believe there is.)

Caveat:  If there were consensus that OAuth 2 should simply adopt the OAuth
1.0a signature mechanism today, I'd be okay with that, just because there is
some proven code out there.

This is of course a trade-off.  My bias:  I really want us to stabilize what
has been spec'd so far and move forward with that while additional work
happens.  There are already multiple mutually implementations of "OAuth2"
floating around and I'd rather resolve that quickly.
--
John Panzer / Google
jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> /
@jpanzer



On Thu, Sep 23, 2010 at 6:43 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> Since much of this recent debate was done off list, I'd like to ask people
> to simply express their support or objection to including a basic signature
> feature in the core spec, in line with the 1.0a signature approach.
>
> This is not a vote, just taking the temperature of the group.
>
> EHL
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email