Perhaps this is picking nits but I want to clarify my opinion: I'm fine if the core spec *mentions* signatures, I just don't want it to *define* them. I'm perfectly happy with a section on "if you want to do signing, here's a way to do signing", but I want that way to be defined and described elsewhere. I think that the wide use of the "signed HTTP request" pattern of 2-legged OAuth 1.0 has shown us that there is utility to the signing capability outside of the token mechanism. I could see people profiling OAuth 1.0 signing, Magic Signatures, JSON Tokens, and maybe other approaches, all for use with OAuth2 tokens or even otherwise-bare HTTP.
-- Justin On Fri, 2010-09-24 at 16:37 -0400, Eve Maler wrote: > +1 for signature support in the core spec (which may look like normative > pointers out to a separate spec module if it turns out there's wider usage > for that module beyond OAuth). > > Eve > > On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote: > > > Since much of this recent debate was done off list, I'd like to ask people > > to simply express their support or objection to including a basic signature > > feature in the core spec, in line with the 1.0a signature approach. > > > > This is not a vote, just taking the temperature of the group. > > > > EHL > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
