Re: [OAUTH-WG] OK to post OAuth Bearer draft 15?

Barry Leiba <> Sun, 18 December 2011 18:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A895621F85A8 for <>; Sun, 18 Dec 2011 10:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.377
X-Spam-Status: No, score=-100.377 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hgYoQKr980Vy for <>; Sun, 18 Dec 2011 10:51:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1DBA921F852E for <>; Sun, 18 Dec 2011 10:51:18 -0800 (PST)
Received: by yhjj72 with SMTP id j72so4360856yhj.31 for <>; Sun, 18 Dec 2011 10:51:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=WYWkH81zVfQrOyEmJNv7FjOu0IMex7QYvq7NHPxM7vc=; b=pscyDZ0dbJvjA8FTbwiE0pCAOzYEhJKJFY9Hn9/OH7LTywxHInCnaNJKAlK/tTn+UY wd/TmLZHfX/eUe6rBo4pJKGTclyK/K0D0a/kxnvu5Z7C7BENpSmiHroXZAtOrizjQz6N LYZN38tjpICNHpZ/JtgmOASdAd4TJ+exfuNKU=
MIME-Version: 1.0
Received: by with SMTP id g30mr24801494yhk.3.1324234277692; Sun, 18 Dec 2011 10:51:17 -0800 (PST)
Received: by with HTTP; Sun, 18 Dec 2011 10:51:17 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Sun, 18 Dec 2011 13:51:17 -0500
X-Google-Sender-Auth: ZruXfXkNTM8KL471PR-fdkXwAf4
Message-ID: <>
From: Barry Leiba <>
To: Mike Jones <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: Mark Nottingham <>, "" <>
Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Dec 2011 18:51:18 -0000

> Unless I hear a “no” from Mark, the chairs, or Stephen I’ll plan to publish
> -15 over the weekend.  (Or if I hear a “yes”, I’ll do so right away. J)

In general, I always prefer that people have the latest text to review
and comment on, and when there are significant updates to distribute,
a new version is a good thing.  Versions are cheap, so we should
publish them often.

So, that's a yes.

There's also something else I want to say:
I consider Mark's comments to be significant and important, and I
don't consider them to have been adequately addressed.  He's brought
up concerns that the working group had not previously thought about,
and which are real problems in how communication with web services
works, with respect to bearer tokens.

Let me point out that "this represents working-group consensus" is not
always a valid response.  If the working group has actually considered
the *issue*, that might be OK.  But if there's consensus for the
chosen solution and someone brings up a *new* issue with it, that
issue needs to be addressed anew.

Suppose the working group looks at a particular question and decides
on solution X.  Suppose there's not really even any argument, but
unanimous agreement that X is the simplest approach, and everyone
strongly supports X.  So that goes into the document.  Then someone
reviews it and says, "Solution X has a very nasty failure mode in
situation Q, and that makes it extremely problematic for this usage.
You really need to do Y or Z in order for it to work safely."  Saying
that X represents working-group consensus doesn't fly here.  It does,
but the working group never thought about the situation-Q failure
condition, and now has to address things in that light.  The answer
*after* that might be "Consensus is that Q will never arise in our
usage, so X remains viable, and is the best solution for us," and
that's OK.  But the discussion and the consideration of alternatives
that don't have the cited problem needs to happen.

As Mark points out, he does not have the standing to block the
publication of anything; he has just brought up issues that he sees
with the document as it stands.  But the chairs, the responsible AD,
and, ultimately, the rest of the IESG can block publication if
substantive issues have not been addressed, and we think that the
unresolved problems could be bad for the Internet.  The working group
needs to make sure that it's clear how those substantive issues have
been addressed, or why they don't matter.

Barry, as chair