Re: [OAUTH-WG] Mandatory-to-implement token type
Michael D Adams <mike@automattic.com> Fri, 02 December 2011 02:14 UTC
Return-Path: <michael.d.adams@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D5C811E80A6 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 18:14:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozLYkBl5YhUk for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 18:14:31 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 876A311E8114 for <oauth@ietf.org>; Thu, 1 Dec 2011 18:14:31 -0800 (PST)
Received: by ghrr18 with SMTP id r18so2940151ghr.31 for <oauth@ietf.org>; Thu, 01 Dec 2011 18:14:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=Kw5c2pCvRJBel9p660D+EzlqjBUiSeBmOW2xnBIQHXA=; b=DKYUSE3VM2zKoM/2i+bylSIn7CAsU0pxQchHdaSsja9olnszFbFKS01nsOTBI0f1K1 /T9VpTP6RDJp5lg1q6rm2G6pT18GCDlPvVryWkh+NEG/Hm+ZTJHqX9szkbEB5yww0o7Y iQQZXhmvLWCPVEgvu4GXKTRaBhC+qYhd4sCOI=
Received: by 10.236.189.97 with SMTP id b61mr15562428yhn.116.1322792071193; Thu, 01 Dec 2011 18:14:31 -0800 (PST)
MIME-Version: 1.0
Sender: michael.d.adams@gmail.com
Received: by 10.101.116.15 with HTTP; Thu, 1 Dec 2011 18:14:10 -0800 (PST)
In-Reply-To: <4ED82D62.3070800@cs.tcd.ie>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com> <CAH-8B6sjim_tcBkTPFWc1SnjhtHDQTR7sVT+aOjnYv7cs8JssA@mail.gmail.com> <4ED82D62.3070800@cs.tcd.ie>
From: Michael D Adams <mike@automattic.com>
Date: Thu, 01 Dec 2011 18:14:10 -0800
X-Google-Sender-Auth: 4GLdOkdMHQn2T_jOfXUg1FW51Xc
Message-ID: <CAH-8B6toCiYMeMAe-ZiHCdPCLa_Xz5aa92JjkWh=p0tkRXNnhQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 02:14:32 -0000
On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > On 12/02/2011 01:38 AM, Michael D Adams wrote: >> So an MTI token type + no client preference is equivalent to there >> only existing one token type. > > Maybe. > > However, no MTI token type + no client preference = no interop. > > So I don't get your argument. (When thinking of interop.) I think it's me that doesn't understand your argument. Suppose an authorization server implements OAuth2 and has some requirement that the MTI token type doesn't provide (as William Mills suggested), so the server implements token type AWESOME in addition to token type MTI. Whenever a token is requested, the authorization server issues one of type AWESOME. Type MTI is never issued. Why bother implementing type MTI if it's never used? Additionally, the authorization server could not implement type MTI but claim it did. There's no way for a third party to verify the claim since the authorization server never issues a token of type MTI. If tokens of type MTI are never used by this server, how does the MTI token type help interop? Is your argument that this server would say "No, we do not support OAuth2. We do, however, support OAuth2+AWESOME."? That semantic argument I understand, but I am ignorant as to how/if it fits into the RFC.
- [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Phil Hunt
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael Thomas
- Re: [OAUTH-WG] Mandatory-to-implement token type Michael D Adams
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Bart Wiegmans
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- [OAUTH-WG] Fwd: Re: Mandatory-to-implement token … Justin Richer
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Richer, Justin P.
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… André DeMarre
- Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement to… Dan Taflin
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type John Bradley
- Re: [OAUTH-WG] Mandatory-to-implement token type Anthony Nadalin
- Re: [OAUTH-WG] Mandatory-to-implement token type Paul Madsen
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Eran Hammer-Lahav
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell
- Re: [OAUTH-WG] Mandatory-to-implement token type Justin Richer
- Re: [OAUTH-WG] Mandatory-to-implement token type Marius Scurtescu
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type William Mills
- Re: [OAUTH-WG] Mandatory-to-implement token type Blaine Cook
- Re: [OAUTH-WG] Mandatory-to-implement token type Leif Johansson
- Re: [OAUTH-WG] Mandatory-to-implement token type Barry Leiba
- Re: [OAUTH-WG] Mandatory-to-implement token type Stephen Farrell