Re: [OAUTH-WG] Document Management Issue (Signatures)

Eran Hammer-Lahav <> Mon, 27 September 2010 16:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 578803A6D8A for <>; Mon, 27 Sep 2010 09:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gL-SmEJ30Mw2 for <>; Mon, 27 Sep 2010 09:54:41 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 67EA63A6D7A for <>; Mon, 27 Sep 2010 09:54:41 -0700 (PDT)
Received: (qmail 6019 invoked from network); 27 Sep 2010 16:55:19 -0000
Received: from unknown (HELO ( by with SMTP; 27 Sep 2010 16:55:19 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([]) with mapi; Mon, 27 Sep 2010 09:55:09 -0700
From: Eran Hammer-Lahav <>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <>, "" <>
Date: Mon, 27 Sep 2010 09:55:12 -0700
Thread-Topic: Document Management Issue (Signatures)
Thread-Index: ActeYxnrv0JG1utxSmiWbXGrGmBWwwAAIDNw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343D460DB36B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343D460DB36BP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Document Management Issue (Signatures)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Sep 2010 16:54:45 -0000

It matters if we publish one main specification and then a bunch of extensions. It doesn't matter if we break the core specification into multiple functional parts, where using bearer tokens are also outside core. My concern is solely on the impression and education the specification provides. Putting bearer tokens in the core specification and signatures elsewhere creates a strong bias towards bearer tokens.

I want a fair and balance document.


From: [] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Monday, September 27, 2010 9:43 AM
Subject: [OAUTH-WG] Document Management Issue (Signatures)

Hi all

I wonder whether the question of "signature in the main specification or in a separate document" does not really matter. It is purely a matter of document management style.

The important question is whether there will be a **mandatory to implement** or **mandatory to use** someone in the document set. Mandatory to use is typically hard to enforce unless there is only one approach possible. This does not seem to be the case.

So, everything then boils down to the question: What is mandatory to implement? (in this specific case with regard to security)