IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Marius Scurtescu <mscurtescu@google.com> Wed, 16 February 2011 17:04 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D50E3A6C8F for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:04:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VS9MbTUcZjup for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:04:27 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 6953F3A6C2E for <oauth@ietf.org>; Wed, 16 Feb 2011 09:04:27 -0800 (PST)
Received: from hpaq11.eem.corp.google.com (hpaq11.eem.corp.google.com [172.25.149.11]) by smtp-out.google.com with ESMTP id p1GH4tn7011568 for <oauth@ietf.org>; Wed, 16 Feb 2011 09:04:55 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1297875895; bh=jlIBsXOmJVQEIKsB1LKxSyXvaac=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=TnDRNNObnZYdaLCVf9cwnPSIp1J183xDaq5Fc4sleuNlfBifiR4LTmBkXHdQ2IIYY y2SVq4awyVYwcjjdhRIjA==
Received: from gyb11 (gyb11.prod.google.com [10.243.49.75]) by hpaq11.eem.corp.google.com with ESMTP id p1GH4rHA021173 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 16 Feb 2011 09:04:54 -0800
Received: by gyb11 with SMTP id 11so693671gyb.19 for <oauth@ietf.org>; Wed, 16 Feb 2011 09:04:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=H8FDcsSVYj4I23wR4Q1hCpO29Bu3FgtS6lOtk3ivS/w=; b=HSoTquqF73S8tztzRJoSHNF9ctQihBIU1KeUjX/dOxXIzL3DrEP39B95S/sq38espq /jxGEj2usjo29IkmDANA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=TlQvNye5tVNVUkAC84KBMP5vksvhoZT/kIXHoh38kTWtLDC4x34olTrSRBbX2P3H7V Yw3Msss//7q0R8DMEoeQ==
Received: by 10.100.7.3 with SMTP id 3mr368342ang.62.1297875892899; Wed, 16 Feb 2011 09:04:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.12.3 with HTTP; Wed, 16 Feb 2011 09:04:32 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 16 Feb 2011 09:04:32 -0800
Message-ID: <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 17:04:28 -0000

On Wed, Feb 16, 2011 at 9:00 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>
>
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>> Sent: Wednesday, January 26, 2011 12:09 PM
>> To: Eran Hammer-Lahav
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
>>
>> - 4.1. Authorization Code. It is stated that authorization code is suitable for
>> clients that can hold a secret. Not necessarily true, it is the best flow for
>> native apps, for example.
>
> While the authorization code *can* be used without client authentication, it was designed explicitly for that use case. By defining it as such, we make the security consideration section significantly simpler and more specific.
>
> Now, this does not prevent using it without client authentication. Note that this is prose and not normative language.
>
> I rather not change this. I think using the ability of the client to authenticate with confidential credentials has been a huge issue for OAuth 1.0 understanding and implementers and this is the simplest way to address it.
>
> At some point, trying to make every single word be 100% compatible with every conceivable use case makes the specification unusable.

Yes, I understand. But Native Apps have no appropriate flow now, and
they started the whole protocol.

Marius

v2.23.0 | Report a Bug | By Email