I agree with your point that consensus is based on individual voices.

I agree with Eric's points that signatures are a generic security mechanism and 
that signatures should be in a separate spec. 

-- Dick


On 2010-09-23, at 6:11 PM, Eran Hammer-Lahav wrote:

> It is pretty clear from the recent public response that a core specification 
> without signatures is going to be viewed as weak and insecure. This has been 
> my position for over a year, and if it wasn’t clear, I am going to continue 
> expressing it.
> 
> We have enough interest to get a basic signature support in the core 
> specification, one that is not driven by enterprise use cases, complex 
> identity solutions, or large distributed systems. Given the recent Twitter 
> migration to OAuth 1.0a proved that with a big enough carrot (or stick, 
> depending on your view), developers figure it out. I believe that an OAuth 
> 1.0a style signature can be easily developed and added to the core 
> specification as an optional feature.
> 
> This is not new. This was agreed upon at the Anaheim meeting. I took the 
> signature language out of the draft in order to focus the discussion on the 
> other components. Now that –10 is pretty solid (normative language-wise), it 
> is time to bring it back in.
> 
> Draft –11 will include a signature proposal, even if that means a short delay.
> 
> The arguments about delaying the core spec are meritless, given that a 
> growing number of companies are releasing OAuth 2.0 APIs using the latest 
> stable draft. We can easily do a WGLC for the current stable components, and 
> add signatures without changing those. This working group does not make 
> technical and architectural decisions based on the timeline needs of any 
> company. We do what is best for the web and we take as much time as necessary.
> 
> As an aside, while companies can certainly express their corporate position 
> on matters, this is a working group of individuals, and consensus is based 
> solely on individual voices.
> 
> EHL
> 
> 
> 
> 
> 
> 
> On 9/23/10 5:30 PM, "Eric Sachs" <esa...@google.com> wrote:
> 
> Google wanted to re-state our long standing opinions on HTTP signature 
> mechanisms in the OAuth2 spec.  The short version is that standards for 
> signing parts of an HTTP request have value in use-cases other than OAuth2, 
> and thus they should be defined outside the spec, and just referenced from 
> the spec similar to how we reference other Internet security building blocks 
> like SSL.  Those signature standards are likely to in turn reference optional 
> mechanisms for key rotation and discovery, as well as reference different 
> crypto schemes like HMAC or RSA.
> 
> There are already people in the identity community working on specs that are 
> related to OAuth2, but which have value in other use-cases.  For example, 
> there are people working on defining standards around token formats, signing 
> blobs of different types (such as a token and/or HTTP request), key 
> discovery/rotation, and consumer-key namespaces across vendors.  Dirk Balfanz 
> from Google recently sent out updated drafts of some of those specs, and they 
> also leverage specs that John Panzer from Google has worked on for Magic 
> Signatures, as well as input from people in the community who are not at 
> Google.
> 
> However even though Google is working on those specs, we still believe it is 
> a mistake to delay the OAuth2 core spec standard to wait on broad agreement 
> for a "signature proposal," just as it would be a mistake to delay the OAuth2 
> core spec to wait on the standards efforts around token formats, token 
> signing, key discovery/rotation, consumer-key naming, etc.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to