Thanks for your input Nate. To the questions others had below earlier I was wondering whether it is known that the IETF tools page shows the current status of all documents. Here is the link: http://datatracker.ietf.org/wg/oauth/
So, for draft-ietf-oauth-v2-31 it says that it is with the RFC Editor. The RFC Editor reads through the documents and corrects editorial bugs. On Sep 25, 2012, at 9:48 PM, Nate Ferrero wrote: > Just a note from the perspective of someone who just created an OAuth > provider library for my company. OAuth 2 allows for relatively high security > (tokens expire every hour for us, and no client secret is passed to the front > end). I think people should just start implementing it in a limited way to > satisfy their needs. > > On Thursday, August 2, 2012 10:11:49 PM UTC-7, =nat wrote: > There is one glitch to be sort out: the mime type for form encoding is not > IANA registered. It should be registered by W3C. > However, I expect it to be sort out pretty quickly. > > Hannes, do you have any comment? > > Nat > > On Thu, Aug 2, 2012 at 10:55 AM, Steven WIllmott <[email protected]> wrote: > Hi Nat, > > Yes, indeed - just saw that on twitter, after sending the below. That's good > news - do you know what the expectation is for finalization? > > thanks and all the best, > steve. > > On Aug 1, 2012, at 11:42 PM, Nat Sakimura wrote: > >> Hi Steve, >> >> Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be >> sent to RFC Editor as of today. >> That means, it is essentially done. >> >> Nat >> >> On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott <[email protected]> wrote: >> Hi Hannes, >> >> Thanks for your answer - I can definitely understand the sentiments and of >> course as you mentioned before there is more than one side of the story and >> this absolutely isn't one person's decision! Also maybe official statements >> are not appropriate / possible but I would ask (and I think a lot of people >> would): >> >> 1. Will the IETF group complete the process and still finalize a full >> specification as forseen? (and in the >> timeframe forseen - I think the charter runs to 2013 if I'm not wrong. >> >> 2. Will there be any activity which takes on board / responds to some of >> the points made by Eran? (Note >> I'm not saying there is an obligation - just that it feels like some >> acknowledgement would make sense >> and a idea that the comments had been "received and considered" (or >> not)). >> >> You stated that Eran would disagree - which may be true of course, but I >> don't think this is a reason not to make statements. >> >> I guess what I'm trying to say above all is that people will be trying to >> make decisions about adoption and it would be helpful to have a forward >> looking statement from the IETF group as to where things are headed. Even if >> this is not at all in doubt for the group, it might be when seen from the >> outside. >> >> Don't know if that makes some kind of sense. >> >> steve. >> >> On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote: >> >> > Hi Steven, >> > >> > I don't think there will be a formal response and here are the reasons: >> > >> > a) the press does not seem to be interested to spend time looking at >> > details since otherwise they would have at least gotten more input prior >> > to post their stories. They did, however, only copy text from Eran's blog >> > post. >> > >> > b) Eran is not likely to agree with us regardless of what we write. He did >> > not care about the views of others during the past few years either. >> > >> > c) Those who had worked on an implementation and deployed OAuth 2.0 do not >> > need any formal response from us. They have already experienced OAuth 2.0 >> > and they, as many posts confirm, do not find it complicated to implement >> > nor to deploy. >> > >> > d) Those who are thinking about using OAuth 2.0 need to think what they >> > are trying to accomplish. Those trying to write their own OAuth 2.0 >> > library will have to read through the specification. There is no way >> > around it. Application developers, who are just using OAuth, will have to >> > think about their use case. For example, if you want to write an >> > application that uses Facebook then you will have to look at their SDK. >> > For all the others who are creating their own application deployment (like >> > a site that offers access to a protected resource) I suggest to re-use one >> > of the existing libraries (instead of implementing OAuth from scratch). >> > For this group I doubt they are interested in any standardization related >> > discussion. >> > >> > I hope that this makes sense to you. If you have any recommendations of >> > what guidance developers would like to see I am sure we can put some >> > information together. >> > >> > Ciao >> > Hannes >> > >> > On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: >> > >> >> Hi Hannes, >> >> >> >> Do you think there will some sort of (semi?)formal response from the IETF >> >> group? I can understand that they might not want to, but some of the >> >> points made seem salient, the problem is/will become what recommendations >> >> go out to people what to implement. >> >> >> >> We get that question very regularly from users, so we have our thinking >> >> caps on at the moment. >> >> >> >> steve. >> >> >> >> On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: >> >>> Thanks for sharing your views, Steve. >> >>> >> >>> I agree with your statements below and it would indeed be strange if >> >>> Eran gets to decide that a technology dies (that is already widely >> >>> implemented and deployed). >> >>> >> >>> I would have liked to get the specification finished earlier myself and, >> >>> funny enough, Eran is also responsible for the delay (although not the >> >>> only person). >> >>> >> >>> >> >>> On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: >> >>> >> >>>> >> >>>> I certainly don't think it's dead - Eran makes some important points >> >>>> and the current 2.0 spec has certainly dragged a long time to get >> >>>> final. The biggest concern is fragmentation between implementations - >> >>>> the suggestion of using a concrete instantiation (e.g. Facebook) only >> >>>> take you so far. >> >>>> >> >>>> The IETF group is still a legitimate body, with a legitimate process - >> >>>> however given the nature of the criticisms and who they come from, I'd >> >>>> hope someone from that group steps forward and outlines a response and >> >>>> -- for the legitimate comments perhaps an evolutionary path. >> >>>> >> >>>> There are also some other potential efforts to monkey patch oAuth 1.0a >> >>>> - eg. see: http://news.ycombinator.com/item?id=4294959, but who knows >> >>>> where these will go. >> >>>> >> >>>> I wouldn't call oAuth dead - it's the best pattern we have for this >> >>>> kind of thing, but there's certainly a danger of fragmentation right >> >>>> now. >> >>>> >> >>>> steve. >> >>>> >> >>>> >> >>>> On Jul 29, 2012, at 6:24 AM, André Fiedler wrote: >> >>>> >> >>>>> OAuth 2.0 and the Road to Hell: >> >>>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ >> >>>>> >> >>>>> >> >>>>> 2012/4/15 Hannes Tschofenig <[email protected]> >> >>>>> You can subscribe to the IETF OAuth mailing list here: >> >>>>> http://datatracker.ietf.org/wg/oauth/charter/ >> >>>>> >> >>>>> (On the left side you can find the links to the subscribe page as well >> >>>>> as to the archive. If you look at the archive at >> >>>>> http://www.ietf.org/mail-archive/web/oauth/current/maillist.html you >> >>>>> will notice that there are "a few mails since May 2009...) >> >>>>> >> >>>>> On Mar 21, 2012, at 11:06 AM, André Fiedler wrote: >> >>>>> >> >>>>>> Ok, many thanks for your answers. So I will build upon OAuth (OAuth >> >>>>>> Provider) and hope this is the right step. >> >>>>>> >> >>>>>> 2012/3/21 Nat Sakimura <[email protected]> >> >>>>>> So it has moved on to IETF from oauth.org. >> >>>>>> >> >>>>>> Google, Facebook among others have been implementing OAuth 2.0 >> >>>>>> various revisions to this date. >> >>>>>> OAuth 2.0 in IETF is near its completion. >> >>>>>> >> >>>>>> Best, >> >>>>>> >> >>>>>> Nat >> >>>>>> >> >>>>>> >> >>>>>> On Tue, Mar 20, 2012 at 4:16 AM, SunboX <[email protected]> >> >>>>>> wrote: >> >>>>>> Last Blog-Post on oauth.net is from may 2009. All php libraries are >> >>>>>> sleeping since one year (http://code.google.com/p/oauth-php/source/ >> >>>>>> list). >> >>>>>> Who did see OAuth 2.0 somewhere? >> >>>>>> >> >>>>>> Is OAuth death? >> >>>>>> >> >>>>>> -- >> >>>>>> You received this message because you are subscribed to the Google >> >>>>>> Groups "OAuth" group. >> >>>>>> To post to this group, send email to [email protected]. >> >>>>>> To unsubscribe from this group, send email to >> >>>>>> [email protected]. >> >>>>>> For more options, visit this group at >> >>>>>> http://groups.google.com/group/oauth?hl=en. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Nat Sakimura (=nat) >> >>>>>> Chairman, OpenID Foundation >> >>>>>> http://nat.sakimura.org/ >> >>>>>> @_nat_en >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> You received this message because you are subscribed to the Google >> >>>>>> Groups "OAuth" group. >> >>>>>> To post to this group, send email to [email protected]. >> >>>>>> To unsubscribe from this group, send email to >> >>>>>> [email protected]. >> >>>>>> For more options, visit this group at >> >>>>>> http://groups.google.com/group/oauth?hl=en. >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> You received this message because you are subscribed to the Google >> >>>>>> Groups "OAuth" group. >> >>>>>> To post to this group, send email to [email protected]. >> >>>>>> To unsubscribe from this group, send email to >> >>>>>> [email protected]. >> >>>>>> For more options, visit this group at >> >>>>>> http://groups.google.com/group/oauth?hl=en. >> >>>>> >> >>>>> -- >> >>>>> You received this message because you are subscribed to the Google >> >>>>> Groups "OAuth" group. >> >>>>> To post to this group, send email to [email protected]. >> >>>>> To unsubscribe from this group, send email to >> >>>>> [email protected]. >> >>>>> For more options, visit this group at >> >>>>> http://groups.google.com/group/oauth?hl=en. >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> You received this message because you are subscribed to the Google >> >>>>> Groups "OAuth" group. >> >>>>> To post to this group, send email to [email protected]. >> >>>>> To unsubscribe from this group, send email to >> >>>>> [email protected]. >> >>>>> For more options, visit this group at >> >>>>> http://groups.google.com/group/oauth?hl=en. >> >>>> >> >>>> >> >>>> -- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "OAuth" group. >> >>>> To post to this group, send email to [email protected]. >> >>>> To unsubscribe from this group, send email to >> >>>> [email protected]. >> >>>> For more options, visit this group at >> >>>> http://groups.google.com/group/oauth?hl=en. >> >>> >> >>> -- >> >>> You received this message because you are subscribed to the Google >> >>> Groups "OAuth" group. >> >>> To post to this group, send email to [email protected]. >> >>> To unsubscribe from this group, send email to >> >>> [email protected]. >> >>> For more options, visit this group at >> >>> http://groups.google.com/group/oauth?hl=en. >> >>> >> >> >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OAuth" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/oauth?hl=en. >> >> >> >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OAuth" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/oauth?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to [email protected]. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
