Hi Hannes,
Thanks for your answer - I can definitely understand the sentiments and of
course as you mentioned before there is more than one side of the story and
this absolutely isn't one person's decision! Also maybe official statements are
not appropriate / possible but I would ask (and I think a lot of people would):
1. Will the IETF group complete the process and still finalize a full
specification as forseen? (and in the
timeframe forseen - I think the charter runs to 2013 if I'm not wrong.
2. Will there be any activity which takes on board / responds to some of the
points made by Eran? (Note
I'm not saying there is an obligation - just that it feels like some
acknowledgement would make sense
and a idea that the comments had been "received and considered" (or not)).
You stated that Eran would disagree - which may be true of course, but I don't
think this is a reason not to make statements.
I guess what I'm trying to say above all is that people will be trying to make
decisions about adoption and it would be helpful to have a forward looking
statement from the IETF group as to where things are headed. Even if this is
not at all in doubt for the group, it might be when seen from the outside.
Don't know if that makes some kind of sense.
steve.
On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote:
> Hi Steven,
>
> I don't think there will be a formal response and here are the reasons:
>
> a) the press does not seem to be interested to spend time looking at details
> since otherwise they would have at least gotten more input prior to post
> their stories. They did, however, only copy text from Eran's blog post.
>
> b) Eran is not likely to agree with us regardless of what we write. He did
> not care about the views of others during the past few years either.
>
> c) Those who had worked on an implementation and deployed OAuth 2.0 do not
> need any formal response from us. They have already experienced OAuth 2.0 and
> they, as many posts confirm, do not find it complicated to implement nor to
> deploy.
>
> d) Those who are thinking about using OAuth 2.0 need to think what they are
> trying to accomplish. Those trying to write their own OAuth 2.0 library will
> have to read through the specification. There is no way around it.
> Application developers, who are just using OAuth, will have to think about
> their use case. For example, if you want to write an application that uses
> Facebook then you will have to look at their SDK. For all the others who are
> creating their own application deployment (like a site that offers access to
> a protected resource) I suggest to re-use one of the existing libraries
> (instead of implementing OAuth from scratch).
> For this group I doubt they are interested in any standardization related
> discussion.
>
> I hope that this makes sense to you. If you have any recommendations of what
> guidance developers would like to see I am sure we can put some information
> together.
>
> Ciao
> Hannes
>
> On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote:
>
>> Hi Hannes,
>>
>> Do you think there will some sort of (semi?)formal response from the IETF
>> group? I can understand that they might not want to, but some of the points
>> made seem salient, the problem is/will become what recommendations go out to
>> people what to implement.
>>
>> We get that question very regularly from users, so we have our thinking caps
>> on at the moment.
>>
>> steve.
>>
>> On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote:
>>> Thanks for sharing your views, Steve.
>>>
>>> I agree with your statements below and it would indeed be strange if Eran
>>> gets to decide that a technology dies (that is already widely implemented
>>> and deployed).
>>>
>>> I would have liked to get the specification finished earlier myself and,
>>> funny enough, Eran is also responsible for the delay (although not the only
>>> person).
>>>
>>>
>>> On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote:
>>>
>>>>
>>>> I certainly don't think it's dead - Eran makes some important points and
>>>> the current 2.0 spec has certainly dragged a long time to get final. The
>>>> biggest concern is fragmentation between implementations - the suggestion
>>>> of using a concrete instantiation (e.g. Facebook) only take you so far.
>>>>
>>>> The IETF group is still a legitimate body, with a legitimate process -
>>>> however given the nature of the criticisms and who they come from, I'd
>>>> hope someone from that group steps forward and outlines a response and --
>>>> for the legitimate comments perhaps an evolutionary path.
>>>>
>>>> There are also some other potential efforts to monkey patch oAuth 1.0a -
>>>> eg. see: http://news.ycombinator.com/item?id=4294959, but who knows where
>>>> these will go.
>>>>
>>>> I wouldn't call oAuth dead - it's the best pattern we have for this kind
>>>> of thing, but there's certainly a danger of fragmentation right now.
>>>>
>>>> steve.
>>>>
>>>>
>>>> On Jul 29, 2012, at 6:24 AM, André Fiedler wrote:
>>>>
>>>>> OAuth 2.0 and the Road to Hell:
>>>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>>>>>
>>>>>
>>>>> 2012/4/15 Hannes Tschofenig <hannes.tschofe...@gmx.net>
>>>>> You can subscribe to the IETF OAuth mailing list here:
>>>>> http://datatracker.ietf.org/wg/oauth/charter/
>>>>>
>>>>> (On the left side you can find the links to the subscribe page as well as
>>>>> to the archive. If you look at the archive at
>>>>> http://www.ietf.org/mail-archive/web/oauth/current/maillist.html you will
>>>>> notice that there are "a few mails since May 2009...)
>>>>>
>>>>> On Mar 21, 2012, at 11:06 AM, André Fiedler wrote:
>>>>>
>>>>>> Ok, many thanks for your answers. So I will build upon OAuth (OAuth
>>>>>> Provider) and hope this is the right step.
>>>>>>
>>>>>> 2012/3/21 Nat Sakimura <sakim...@gmail.com>
>>>>>> So it has moved on to IETF from oauth.org.
>>>>>>
>>>>>> Google, Facebook among others have been implementing OAuth 2.0 various
>>>>>> revisions to this date.
>>>>>> OAuth 2.0 in IETF is near its completion.
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Nat
>>>>>>
>>>>>>
>>>>>> On Tue, Mar 20, 2012 at 4:16 AM, SunboX <fiedler.an...@googlemail.com>
>>>>>> wrote:
>>>>>> Last Blog-Post on oauth.net is from may 2009. All php libraries are
>>>>>> sleeping since one year (http://code.google.com/p/oauth-php/source/
>>>>>> list).
>>>>>> Who did see OAuth 2.0 somewhere?
>>>>>>
>>>>>> Is OAuth death?
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "OAuth" group.
>>>>>> To post to this group, send email to oauth@googlegroups.com.
>>>>>> To unsubscribe from this group, send email to
>>>>>> oauth+unsubscr...@googlegroups.com.
>>>>>> For more options, visit this group at
>>>>>> http://groups.google.com/group/oauth?hl=en.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Nat Sakimura (=nat)
>>>>>> Chairman, OpenID Foundation
>>>>>> http://nat.sakimura.org/
>>>>>> @_nat_en
>>>>>>
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "OAuth" group.
>>>>>> To post to this group, send email to oauth@googlegroups.com.
>>>>>> To unsubscribe from this group, send email to
>>>>>> oauth+unsubscr...@googlegroups.com.
>>>>>> For more options, visit this group at
>>>>>> http://groups.google.com/group/oauth?hl=en.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "OAuth" group.
>>>>>> To post to this group, send email to oauth@googlegroups.com.
>>>>>> To unsubscribe from this group, send email to
>>>>>> oauth+unsubscr...@googlegroups.com.
>>>>>> For more options, visit this group at
>>>>>> http://groups.google.com/group/oauth?hl=en.
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups
>>>>> "OAuth" group.
>>>>> To post to this group, send email to oauth@googlegroups.com.
>>>>> To unsubscribe from this group, send email to
>>>>> oauth+unsubscr...@googlegroups.com.
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/oauth?hl=en.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups
>>>>> "OAuth" group.
>>>>> To post to this group, send email to oauth@googlegroups.com.
>>>>> To unsubscribe from this group, send email to
>>>>> oauth+unsubscr...@googlegroups.com.
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/oauth?hl=en.
>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups
>>>> "OAuth" group.
>>>> To post to this group, send email to oauth@googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>> oauth+unsubscr...@googlegroups.com.
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/oauth?hl=en.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "OAuth" group.
>>> To post to this group, send email to oauth@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> oauth+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/oauth?hl=en.
>>>
>>
>
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
