I have not been involved in the OAuth design processes, but for the last few months, I’ve been a heavy user of production OAuth2 software. Which I felt gave me a platform to comment on the issue: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead
-Tim On Sun, Jul 29, 2012 at 2:57 PM, Hannes Tschofenig <[email protected]> wrote: > It sounds indeed great to involve those communities that use the technology. > However, I don't see an easy way to accomplish that when we talk about a > really large community. > > For example, many people use TLS and they are not all in the TLS WG working > group. I am not even talking about providing useful input to the work (since > you would have to be a security expert and some people just want to get their > application development done as quickly as possible). They just use the > library. > > OAuth is a bit similar in that direction. Ideally, we want Web application > developers to just use a library and then add their application specific > technology on top of it rather than having to read the IETF specification and > to write the OAuth code themselves. > > On Jul 29, 2012, at 2:13 PM, Worley, Dale R (Dale) wrote: > >>> From: Hannes Tschofenig [[email protected]] >>> >>> Eran claims that enterprise identity management equipment manufacturer >>> dominate the discussion. >> >> There's a common problem in the IETF that the development of a standard is >> dominated by companies that incorporate the standard into their products, >> whereas the people who "really should" be involved in the development are >> those who will *use* the standard in operation. >> >> Dale >
