Hanes, >... >There is a document in the draft repository that talks about use cases, >namely http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/ >But it had never gotten a lot of attention on the list. (I don't know >why.)
Actually, there is a good news here: We've got 13 queries on the list (in addition to some private ones) with constructive suggestions, and we are working with Torsten on incorporating all of them. In particular, the next issue of the draft will include George's use case submitted recently. Furthermore, as WAC community is looking at OAuth, we will soon have a WAC use case (or a set of use cases). So, I am pretty happy with the attention level: we get positive contribution while not getting disruption. As for specific security issues, I think up to now we dealt with a different problem: Our use cases have reflected authentication requirements, but concentrated on the use scenarios (which protocol features should reflect) rather than dealing with specific threats that affecting the features. This specific work will be coming from Torsten. I am not sure whether the use case document should delve in security detail, except for cases (such as payment) that in themselves dictate the protection level. As Igor wrote, security requirements for accessing health records are very different from those for accessing photos on Flickr. This is what I hope we can discuss at the meeting--formal or informal--in 10 days. I am open to all suggestions. Zachary -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Hannes Tschofenig Sent: Thursday, October 28, 2010 7:05 AM To: ext Freeman, Tim; [email protected] Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split) Hey Tim, Earlier this year we had discussions around use cases but they did not lead to more insight. There is a document in the draft repository that talks about use cases, namely http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/ But it had never gotten a lot of attention on the list. (I don't know why.) Efforts to reach out to the Kantara UMA group for more sophisticated uses cases that motivate some security mechanisms have not produced anything either. (I believe the reason was that the scenarios focused on the user-experience aspect rather than on security differences.) If you look at the draft that Blaine and I put together recently (see http://datatracker.ietf.org/doc/draft-tschofenig-oauth-signature-thoughts/ ) then you will notice that from a security point of view there is very little difference between using message signing on the HTTP layer and using TLS with respect to a certain class of security threats. In our recommendation we actually suggest to recommend to go for the HTTP layer security because we are worried that ***operational*** aspects will go wrong in deployments. While I was convinced initially that looking at the use cases will get us further on the security questions it actually does not. Ciao Hannes PS: Btw, your feedback on the security draft would be of interest to us. On 10/27/10 9:09 PM, "ext Freeman, Tim" <[email protected]> wrote: > On the face of it, it seems that discussion of whether and how to split the > document has derailed collection of use cases. If we had consensus on a list > of use cases, that would mean we have identified the problems we're trying to > solve. This would still allow slimy political manipulation of the process by > manipulating the use case list, but that would be progress. It's better to > have a protocol that solves a politically-defined set of problems than to have > a politically-defined protocol that solves no identified problem. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
