> 1. Why are you here? What are you trying to solve that is not already addressed by existing specifications (OAuth 1.0a, WRAP, etc)? I want to see a single hardened protocol rather than fragmented proprietty solutions. My leaning is towards a secure solution suitable for enterprise customers more than an easy to use solution for long end developers. To that end, standardizing on something that can then be used to build better library support should satisfy all parties
> 2. Should the WG start by taking WRAP or OAuth 1.0a as its starting point? Something else? Not sure. Wrap is better from architecture point of view but OAuth has put more thought into security > 3. If we start from draft-hammer-oauth, what needs to change to turn it into OAuth 2.0? Better separation of authorization (Get a token) from authentication (use a token) > 4. If we start from draft-hardt-oauth, what needs to change to turn it into OAuth 2.0? Fill out section on security considerations, e.g. Spell out assumptions on infrastructure like SSL that are required to ensure security or threat models for non-SSL > 6. Should we go back to working on a single specification? Yes > 7. Do you think the protocol should include a signature-based authentication scheme? Yes. I think there will be some use cases or worries from over-cautious CIOs that it will neccessitate it. Mark McGloin _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
