Hi all,
Eran suggested to remove the Client Assertion functionality from the
draft-ietf-oauth-v2 specification in his mail from last month:
http://www.ietf.org/mail-archive/web/oauth/current/msg05027.html
This lead to a heated discussion.
Going through the discussions I got the following impression:
"+" means in favor of removing the Client Assertion credential
functionality from the draft-ietf-oauth-v2 specification and
"-" means against it.
"*" indicates some constraints.
+Eran
*Phil (was talking about a stronger version of the client assertion
credentials)
+David
*Francisco (also has a stronger version in mind)
-Mike
*Marius (Marius has plans to use client assertions in two profiles. So,
I assume he wants to have the functionality but I do not know whether he
cares about where it is document; in the main spec or in a separate
document.)
Please correct me if I have forgotten someone or misinterpreted
someone's statement.
The feedback from the group as I have seen it was a bit difficult to
interpret (particularly from Phil, Francisco, and Marius). So, a
clarification would be good.
Feedback indicated that there is interesting in deploying the Client
Assertion credential functionality. That's good.
My reading of Section 3.2 of OAuth version -11 is that this
functionality is NOT mandatory to implement.
So, for me the question therefore is where to describe this
functionality. Here are my questions:
1a) Do you insist in having it documented in draft-ietf-oauth-v2?
PLEASE NOTE: Having functionality in a separate document does not mean
that it will take longer to complete nor that it is less important. It
is purely a document management question!
1b) If your answer to question (1) is "NO" then here is another question
for you: Would you be willing to co-author a document on this
functionality?
2) Do you think that the text in Section 3.2 of version -11 is not
sufficient for interoperability, incomplete from a security point of
view, or lacking some other functionality?
Without going through the arguments again I would like to get a sense
from the group.
Deadline for response: Feb, 10th 2011
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
