Hi Steven, I don't think there will be a formal response and here are the reasons:
a) the press does not seem to be interested to spend time looking at details since otherwise they would have at least gotten more input prior to post their stories. They did, however, only copy text from Eran's blog post. b) Eran is not likely to agree with us regardless of what we write. He did not care about the views of others during the past few years either. c) Those who had worked on an implementation and deployed OAuth 2.0 do not need any formal response from us. They have already experienced OAuth 2.0 and they, as many posts confirm, do not find it complicated to implement nor to deploy. d) Those who are thinking about using OAuth 2.0 need to think what they are trying to accomplish. Those trying to write their own OAuth 2.0 library will have to read through the specification. There is no way around it. Application developers, who are just using OAuth, will have to think about their use case. For example, if you want to write an application that uses Facebook then you will have to look at their SDK. For all the others who are creating their own application deployment (like a site that offers access to a protected resource) I suggest to re-use one of the existing libraries (instead of implementing OAuth from scratch). For this group I doubt they are interested in any standardization related discussion. I hope that this makes sense to you. If you have any recommendations of what guidance developers would like to see I am sure we can put some information together. Ciao Hannes On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: > Hi Hannes, > > Do you think there will some sort of (semi?)formal response from the IETF > group? I can understand that they might not want to, but some of the points > made seem salient, the problem is/will become what recommendations go out to > people what to implement. > > We get that question very regularly from users, so we have our thinking caps > on at the moment. > > steve. > > On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: >> Thanks for sharing your views, Steve. >> >> I agree with your statements below and it would indeed be strange if Eran >> gets to decide that a technology dies (that is already widely implemented >> and deployed). >> >> I would have liked to get the specification finished earlier myself and, >> funny enough, Eran is also responsible for the delay (although not the only >> person). >> >> >> On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: >> >>> >>> I certainly don't think it's dead - Eran makes some important points and >>> the current 2.0 spec has certainly dragged a long time to get final. The >>> biggest concern is fragmentation between implementations - the suggestion >>> of using a concrete instantiation (e.g. Facebook) only take you so far. >>> >>> The IETF group is still a legitimate body, with a legitimate process - >>> however given the nature of the criticisms and who they come from, I'd hope >>> someone from that group steps forward and outlines a response and -- for >>> the legitimate comments perhaps an evolutionary path. >>> >>> There are also some other potential efforts to monkey patch oAuth 1.0a - >>> eg. see: http://news.ycombinator.com/item?id=4294959, but who knows where >>> these will go. >>> >>> I wouldn't call oAuth dead - it's the best pattern we have for this kind of >>> thing, but there's certainly a danger of fragmentation right now. >>> >>> steve. >>> >>> >>> On Jul 29, 2012, at 6:24 AM, André Fiedler wrote: >>> >>>> OAuth 2.0 and the Road to Hell: >>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ >>>> >>>> >>>> 2012/4/15 Hannes Tschofenig <[email protected]> >>>> You can subscribe to the IETF OAuth mailing list here: >>>> http://datatracker.ietf.org/wg/oauth/charter/ >>>> >>>> (On the left side you can find the links to the subscribe page as well as >>>> to the archive. If you look at the archive at >>>> http://www.ietf.org/mail-archive/web/oauth/current/maillist.html you will >>>> notice that there are "a few mails since May 2009...) >>>> >>>> On Mar 21, 2012, at 11:06 AM, André Fiedler wrote: >>>> >>>>> Ok, many thanks for your answers. So I will build upon OAuth (OAuth >>>>> Provider) and hope this is the right step. >>>>> >>>>> 2012/3/21 Nat Sakimura <[email protected]> >>>>> So it has moved on to IETF from oauth.org. >>>>> >>>>> Google, Facebook among others have been implementing OAuth 2.0 various >>>>> revisions to this date. >>>>> OAuth 2.0 in IETF is near its completion. >>>>> >>>>> Best, >>>>> >>>>> Nat >>>>> >>>>> >>>>> On Tue, Mar 20, 2012 at 4:16 AM, SunboX <[email protected]> >>>>> wrote: >>>>> Last Blog-Post on oauth.net is from may 2009. All php libraries are >>>>> sleeping since one year (http://code.google.com/p/oauth-php/source/ >>>>> list). >>>>> Who did see OAuth 2.0 somewhere? >>>>> >>>>> Is OAuth death? >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "OAuth" group. >>>>> To post to this group, send email to [email protected]. >>>>> To unsubscribe from this group, send email to >>>>> [email protected]. >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/oauth?hl=en. >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nat Sakimura (=nat) >>>>> Chairman, OpenID Foundation >>>>> http://nat.sakimura.org/ >>>>> @_nat_en >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "OAuth" group. >>>>> To post to this group, send email to [email protected]. >>>>> To unsubscribe from this group, send email to >>>>> [email protected]. >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/oauth?hl=en. >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "OAuth" group. >>>>> To post to this group, send email to [email protected]. >>>>> To unsubscribe from this group, send email to >>>>> [email protected]. >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/oauth?hl=en. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "OAuth" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit this group at >>>> http://groups.google.com/group/oauth?hl=en. >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "OAuth" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit this group at >>>> http://groups.google.com/group/oauth?hl=en. >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "OAuth" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/oauth?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OAuth" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/oauth?hl=en. >> > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
