IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

Mike Jones <Michael.Jones@microsoft.com> Fri, 21 January 2011 18:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D74F528C0FF for <oauth@core3.amsl.com>; Fri, 21 Jan 2011 10:35:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.588
X-Spam-Level:
X-Spam-Status: No, score=-10.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TcLh4CSaPkA for <oauth@core3.amsl.com>; Fri, 21 Jan 2011 10:35:41 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id BA3C328C0F5 for <oauth@ietf.org>; Fri, 21 Jan 2011 10:35:41 -0800 (PST)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 21 Jan 2011 10:38:28 -0800
Received: from TK5EX14MBXC202.redmond.corp.microsoft.com ([169.254.2.150]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.01.0255.003; Fri, 21 Jan 2011 10:38:06 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
Thread-Index: AQHLuQTwEa54sDCM70WJZqHfEo5bZpPbID4AgABPngCAAC/w4A==
Date: Fri, 21 Jan 2011 18:38:06 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943246F2B23@TK5EX14MBXC202.redmond.corp.microsoft.com>
References: <20110121004501.28103.96097.idtracker@localhost> <90C41DD21FB7C64BB94121FBBC2E723445A8D61C8E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723445A8D61CBA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A8D61CBA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2011 18:35:42 -0000

Please (re-)add my comments into your queue that the client assertion credentials and WWW-Authenticate header should be retained.  Also, per Marius' note of January 20th, Google has plans to use the client assertion credentials as well.

You argue that interop is not hindered by removing features that could be defined as extensions.  And that since additional knowledge is required to use these features that is outside the scope of the specification, that there is no value in retaining them.

The problem with those lines of reasoning is that the same arguments could be applied to the whole specification.  People *could* implement OAuth flows with no OAuth specification at all.  So why not get rid of all of it?  Simply, that interop is enhanced by having common ways to do common things -- even if some additional knowledge is required to do them.

Please retain these features.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Thursday, January 20, 2011 9:42 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

Forgot to mention that I don't have any outstanding comments in my queue so if your feedback was not incorporated into -12, and you feel strongly about it, bring it up again.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf 
> Of Eran Hammer-Lahav
> Sent: Thursday, January 20, 2011 4:57 PM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
> 
> Draft -12 is finally out.
> 
> This is almost a complete rewrite of the entire document, with the 
> primary goal of moving it back to a similar structure used in -05. I 
> have been thinking about this for a few months and finally came up 
> with a structure that combines the two approaches.
> 
> The draft includes some major cleanups, significantly simpler 
> language, reduces repeated prose, and tried to keep prose to the 
> introduction and normative language in the rest of the specification. 
> I took out sections that broke the flow, and did my best to give this 
> a linear narrative that is easy to follow.
> 
> The draft includes the following normative changes:
> 
>    o  Clarified 'token_type' as case insensitive.
>    o  Authorization endpoint requires TLS when an access token is issued.
>    o  Removed client assertion credentials, mandatory HTTP Basic 
> authentication support for client credentials, WWW-Authenticate 
> header, and the OAuth2 authentication scheme.
>    o  Changed implicit grant (aka user-agent flow) error response from 
> query to fragment.
>    o  Removed the 'redirect_uri_mismatch' error code since in such a 
> case, the authorization server must not send the error back to the client.
>    o  Defined access token type registry.
> 
> I would like to spend the coming week receiving and applying feedback 
> before requesting a WGLC for everything but the security 
> considerations section (missing) 2/1.
> 
> EHL
> 
> 
> 
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On 
> > Behalf Of Internet-Drafts@ietf.org
> > Sent: Thursday, January 20, 2011 4:45 PM
> > To: i-d-announce@ietf.org
> > Cc: oauth@ietf.org
> > Subject: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Open Authentication Protocol 
> > Working Group of the IETF.
> >
> >
> > 	Title           : The OAuth 2.0 Authorization Protocol
> > 	Author(s)       : E. Hammer-Lahav, et al.
> > 	Filename        : draft-ietf-oauth-v2-12.txt
> > 	Pages           : 46
> > 	Date            : 2011-01-20
> >
> > This specification describes the OAuth 2.0 authorization protocol.
> >
> > A URL for this Internet-Draft is:
> > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-12.txt
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > Below is the data which will enable a MIME compliant mail reader 
> > implementation to automatically retrieve the ASCII version of the
> > Internet- Draft.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email