Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

John Bradley <> Thu, 18 February 2016 18:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6E6961A898A for <>; Thu, 18 Feb 2016 10:32:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tPeR-1PzBnbb for <>; Thu, 18 Feb 2016 10:32:56 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 010701A88BA for <>; Thu, 18 Feb 2016 10:32:55 -0800 (PST)
Received: by with SMTP id k196so53269615vka.0 for <>; Thu, 18 Feb 2016 10:32:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=IJFCea8Dk5tk351N1hPloKtwUh/l89ayjcfC8vCDEuE=; b=pXwdwiouDDcJiBUwoExR9IE1fIhDJIsTlpwXgjEQ5O+dGR4krsSzzYgv9nHoxnk1T0 8FuTyRY0PsBD3T6bt+sXTZjo1yt43QYGs7R8yUUlel7HL3TIajyEzHL3MiTX5dVtHrGZ /fX/2BXYjMGo7RyLbqmhor71HNvUxSWypS2QMo6D2c+NG96HWhMEieLJWPlZgviN6k4y nhGOrllOjfmF5QJ3GvDLFgo1yQGfMTkbKzycLAGbaNiKKihuJ6FsvwBcl2VZvEd7+SCu 2L7emQR9trGXXtVnoBTAfuZm0fK6C0G0/GCtVUrpONqL40tGjDLFTkaUudM/eesMgLtH dQWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=IJFCea8Dk5tk351N1hPloKtwUh/l89ayjcfC8vCDEuE=; b=mFOt1iIUuP/9i7k1bigsHocEADIuxO7CCN7c51J0CY+h0urrt7Kn8qmK983ZWjFNF0 4CsYtFcYfj4g84vuxxD6U+Jqn5DxMHQbdi3/swZZ+8aEfO65FwOzgsazLZsmYUN3Hkwn D0DEJET4AIrNX9eaW38vyq/vB2zTg1QPogyaUhbK75HzIfecLt++M+kzhHxYunfZJbLu 2P8lae3CzAmkt1lmn8PTOrza0nxYXnflVSekfsTtSLAVrydVmkUeMgIgeAXNxdBAF86M 7XV8fEGJtcv0yKNzgQmlH7Aep67jhAT98C7/B3BpZ1bJezAtzViA8qWwmct3tx7lWCN6 N+zw==
X-Gm-Message-State: AG10YOR9pIwU0BNBvIL+6SC+jqZqwoGr/rWCVncnVVkzYUQfusFrmHvECcp5tq0WtUMBDQ==
X-Received: by with SMTP id p199mr7469765vke.122.1455820374691; Thu, 18 Feb 2016 10:32:54 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id v19sm875645vkd.22.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 Feb 2016 10:32:54 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_C28D1E9E-818B-4F4F-A800-8CA19F3153EB"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Thu, 18 Feb 2016 13:32:52 -0500
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Anthony Nadalin <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Feb 2016 18:32:58 -0000

We are establishing a registry.  Some folks do use dynamic client registration.   

We can register it in this document or take it out and let others register it once the registry is established.

It will be registered one way or the other.  

One of the reasons for starting last call is to get people to read the draft and comment. 
That seems to be working.

If you have specific security considerations, please let us know so they can be addressed.   Text is always appreciated.

John B.

> On Feb 18, 2016, at 1:27 PM, Anthony Nadalin <> wrote:
> Not sure about that. There are things that are "recommended" like the dynamic registration endpoint, I don't understand why this is recommended as a lot of folks still don't do this. There are security considerations about all the information that is in the discovery that have not been addressed.
> -----Original Message-----
> From: Mike Jones 
> Sent: Thursday, February 18, 2016 10:18 AM
> To: Anthony Nadalin <>om>; Hannes Tschofenig <>et>; Phil Hunt <>om>; John Bradley <>
> Cc:
> Subject: RE: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> It's the OAuth-specific subset of what's already widely deployed.  Nothing was invented - just subsetted.
> I think it's already as simple as possible unless the working group decides to remove even more functionality (which it can obviously do).
> 				-- Mike
> -----Original Message-----
> From: OAuth [] On Behalf Of Anthony Nadalin
> Sent: Thursday, February 18, 2016 10:13 AM
> To: Hannes Tschofenig <>et>; Phil Hunt <>om>; John Bradley <>
> Cc:
> Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> I also think we are way far from last call (and surprised to see last call issued) on this document as it is still very complex for something that should be very simple 
> -----Original Message-----
> From: OAuth [] On Behalf Of Hannes Tschofenig
> Sent: Thursday, February 18, 2016 6:47 AM
> To: Phil Hunt <>om>; John Bradley <>
> Cc:
> Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
> On 02/18/2016 03:06 PM, Phil Hunt wrote:
>> BTW. I think we are FAR from Last Call on this topic.
> Thanks for your feedback, Phil. As you have seen I had issued a WGLC prior to your message based on the claim from the authors that they believe the document is finished.
> We will, of course, take all reviews into account and see where we are with the discovery spec. I, as the shepherd, will also do my review and I encourage many working group members to also take a look at the document and to provide their input.
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list