Hi Nat, Yes, indeed - just saw that on twitter, after sending the below. That's good news - do you know what the expectation is for finalization?
thanks and all the best, steve. On Aug 1, 2012, at 11:42 PM, Nat Sakimura wrote: > Hi Steve, > > Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be > sent to RFC Editor as of today. > That means, it is essentially done. > > Nat > > On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott <stev...@gmail.com> wrote: > Hi Hannes, > > Thanks for your answer - I can definitely understand the sentiments and of > course as you mentioned before there is more than one side of the story and > this absolutely isn't one person's decision! Also maybe official statements > are not appropriate / possible but I would ask (and I think a lot of people > would): > > 1. Will the IETF group complete the process and still finalize a full > specification as forseen? (and in the > timeframe forseen - I think the charter runs to 2013 if I'm not wrong. > > 2. Will there be any activity which takes on board / responds to some of the > points made by Eran? (Note > I'm not saying there is an obligation - just that it feels like some > acknowledgement would make sense > and a idea that the comments had been "received and considered" (or > not)). > > You stated that Eran would disagree - which may be true of course, but I > don't think this is a reason not to make statements. > > I guess what I'm trying to say above all is that people will be trying to > make decisions about adoption and it would be helpful to have a forward > looking statement from the IETF group as to where things are headed. Even if > this is not at all in doubt for the group, it might be when seen from the > outside. > > Don't know if that makes some kind of sense. > > steve. > > On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote: > > > Hi Steven, > > > > I don't think there will be a formal response and here are the reasons: > > > > a) the press does not seem to be interested to spend time looking at > > details since otherwise they would have at least gotten more input prior to > > post their stories. They did, however, only copy text from Eran's blog post. > > > > b) Eran is not likely to agree with us regardless of what we write. He did > > not care about the views of others during the past few years either. > > > > c) Those who had worked on an implementation and deployed OAuth 2.0 do not > > need any formal response from us. They have already experienced OAuth 2.0 > > and they, as many posts confirm, do not find it complicated to implement > > nor to deploy. > > > > d) Those who are thinking about using OAuth 2.0 need to think what they are > > trying to accomplish. Those trying to write their own OAuth 2.0 library > > will have to read through the specification. There is no way around it. > > Application developers, who are just using OAuth, will have to think about > > their use case. For example, if you want to write an application that uses > > Facebook then you will have to look at their SDK. For all the others who > > are creating their own application deployment (like a site that offers > > access to a protected resource) I suggest to re-use one of the existing > > libraries (instead of implementing OAuth from scratch). > > For this group I doubt they are interested in any standardization related > > discussion. > > > > I hope that this makes sense to you. If you have any recommendations of > > what guidance developers would like to see I am sure we can put some > > information together. > > > > Ciao > > Hannes > > > > On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: > > > >> Hi Hannes, > >> > >> Do you think there will some sort of (semi?)formal response from the IETF > >> group? I can understand that they might not want to, but some of the > >> points made seem salient, the problem is/will become what recommendations > >> go out to people what to implement. > >> > >> We get that question very regularly from users, so we have our thinking > >> caps on at the moment. > >> > >> steve. > >> > >> On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: > >>> Thanks for sharing your views, Steve. > >>> > >>> I agree with your statements below and it would indeed be strange if Eran > >>> gets to decide that a technology dies (that is already widely implemented > >>> and deployed). > >>> > >>> I would have liked to get the specification finished earlier myself and, > >>> funny enough, Eran is also responsible for the delay (although not the > >>> only person). > >>> > >>> > >>> On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: > >>> > >>>> > >>>> I certainly don't think it's dead - Eran makes some important points and > >>>> the current 2.0 spec has certainly dragged a long time to get final. The > >>>> biggest concern is fragmentation between implementations - the > >>>> suggestion of using a concrete instantiation (e.g. Facebook) only take > >>>> you so far. > >>>> > >>>> The IETF group is still a legitimate body, with a legitimate process - > >>>> however given the nature of the criticisms and who they come from, I'd > >>>> hope someone from that group steps forward and outlines a response and > >>>> -- for the legitimate comments perhaps an evolutionary path. > >>>> > >>>> There are also some other potential efforts to monkey patch oAuth 1.0a - > >>>> eg. see: http://news.ycombinator.com/item?id=4294959, but who knows > >>>> where these will go. > >>>> > >>>> I wouldn't call oAuth dead - it's the best pattern we have for this kind > >>>> of thing, but there's certainly a danger of fragmentation right now. > >>>> > >>>> steve. > >>>> > >>>> > >>>> On Jul 29, 2012, at 6:24 AM, André Fiedler wrote: > >>>> > >>>>> OAuth 2.0 and the Road to Hell: > >>>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ > >>>>> > >>>>> > >>>>> 2012/4/15 Hannes Tschofenig <hannes.tschofe...@gmx.net> > >>>>> You can subscribe to the IETF OAuth mailing list here: > >>>>> http://datatracker.ietf.org/wg/oauth/charter/ > >>>>> > >>>>> (On the left side you can find the links to the subscribe page as well > >>>>> as to the archive. If you look at the archive at > >>>>> http://www.ietf.org/mail-archive/web/oauth/current/maillist.html you > >>>>> will notice that there are "a few mails since May 2009...) > >>>>> > >>>>> On Mar 21, 2012, at 11:06 AM, André Fiedler wrote: > >>>>> > >>>>>> Ok, many thanks for your answers. So I will build upon OAuth (OAuth > >>>>>> Provider) and hope this is the right step. > >>>>>> > >>>>>> 2012/3/21 Nat Sakimura <sakim...@gmail.com> > >>>>>> So it has moved on to IETF from oauth.org. > >>>>>> > >>>>>> Google, Facebook among others have been implementing OAuth 2.0 various > >>>>>> revisions to this date. > >>>>>> OAuth 2.0 in IETF is near its completion. > >>>>>> > >>>>>> Best, > >>>>>> > >>>>>> Nat > >>>>>> > >>>>>> > >>>>>> On Tue, Mar 20, 2012 at 4:16 AM, SunboX <fiedler.an...@googlemail.com> > >>>>>> wrote: > >>>>>> Last Blog-Post on oauth.net is from may 2009. All php libraries are > >>>>>> sleeping since one year (http://code.google.com/p/oauth-php/source/ > >>>>>> list). > >>>>>> Who did see OAuth 2.0 somewhere? > >>>>>> > >>>>>> Is OAuth death? > >>>>>> > >>>>>> -- > >>>>>> You received this message because you are subscribed to the Google > >>>>>> Groups "OAuth" group. > >>>>>> To post to this group, send email to oauth@googlegroups.com. > >>>>>> To unsubscribe from this group, send email to > >>>>>> oauth+unsubscr...@googlegroups.com. > >>>>>> For more options, visit this group at > >>>>>> http://groups.google.com/group/oauth?hl=en. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Nat Sakimura (=nat) > >>>>>> Chairman, OpenID Foundation > >>>>>> http://nat.sakimura.org/ > >>>>>> @_nat_en > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> You received this message because you are subscribed to the Google > >>>>>> Groups "OAuth" group. > >>>>>> To post to this group, send email to oauth@googlegroups.com. > >>>>>> To unsubscribe from this group, send email to > >>>>>> oauth+unsubscr...@googlegroups.com. > >>>>>> For more options, visit this group at > >>>>>> http://groups.google.com/group/oauth?hl=en. > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> You received this message because you are subscribed to the Google > >>>>>> Groups "OAuth" group. > >>>>>> To post to this group, send email to oauth@googlegroups.com. > >>>>>> To unsubscribe from this group, send email to > >>>>>> oauth+unsubscr...@googlegroups.com. > >>>>>> For more options, visit this group at > >>>>>> http://groups.google.com/group/oauth?hl=en. > >>>>> > >>>>> -- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "OAuth" group. > >>>>> To post to this group, send email to oauth@googlegroups.com. > >>>>> To unsubscribe from this group, send email to > >>>>> oauth+unsubscr...@googlegroups.com. > >>>>> For more options, visit this group at > >>>>> http://groups.google.com/group/oauth?hl=en. > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "OAuth" group. > >>>>> To post to this group, send email to oauth@googlegroups.com. > >>>>> To unsubscribe from this group, send email to > >>>>> oauth+unsubscr...@googlegroups.com. > >>>>> For more options, visit this group at > >>>>> http://groups.google.com/group/oauth?hl=en. > >>>> > >>>> > >>>> -- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "OAuth" group. > >>>> To post to this group, send email to oauth@googlegroups.com. > >>>> To unsubscribe from this group, send email to > >>>> oauth+unsubscr...@googlegroups.com. > >>>> For more options, visit this group at > >>>> http://groups.google.com/group/oauth?hl=en. > >>> > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "OAuth" group. > >>> To post to this group, send email to oauth@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> oauth+unsubscr...@googlegroups.com. > >>> For more options, visit this group at > >>> http://groups.google.com/group/oauth?hl=en. > >>> > >> > > > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oauth@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oauth@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.