You are mistaken, I cite MAC directly right now, but now that it is up in the
air I would much rather rely on 3 specs (Oauth 2 core, Bearer, and 1.0a) than
refer to MAC when I think I can do without MAC and use 1.0a instead. MAC is
now in flux again, the other 3 are stable or already standards.
I think you also mistaken that we can't support 1.0a and OAuth 2 tokens in the
same SASL mechanism. Why do you think this is true?
________________________________
From: Hannes Tschofenig <[email protected]>
To: William Mills <[email protected]>
Cc: Hannes Tschofenig <[email protected]>; Mike Jones
<[email protected]>; O Auth WG <[email protected]>
Sent: Tuesday, August 14, 2012 10:48 PM
Subject: Re: [OAUTH-WG] OAuth 1.0a
FYI: just to repeat my note here as well that I sent to Bill on the KITTEN list:
I see three possible ways forward for the OAuth SASL work, namely:
> • Focus on Oauth 1.0 only (since it has a MAC specification in there).
> Then, you ignore all the Oauth 2.0 deployment that is out there, of which
> there is a lot. That would be pretty bad IMHO.
> • Copy relevant parts from
> http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 (of which there is
> almost no deployment).
> • Wait for the Oauth group to settle on a mechanism. May take time.
I doubt that the question about the views of the WG about OAuth 1.0a can answer
any of the above questions.
Bill does not want to wait. He also does not want to copy parts from
draft-ietf-oauth-v2-http-mac-01 into the SASL OAuth spec. Focusing on OAuth 1.0
for now would require the specification to be extended later on to fit to OAuth
2.0 deployments (and whatever new security mechanism we will come up with). As
a consequence, the specification will then suffer from additional complexity.
Ciao
Hannes
On Aug 14, 2012, at 10:37 PM, William Mills wrote:
> It's for the OAUTH SASL spec. I've been writing it with the idea that OAuth
> 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we want to
> allow for IMAP), but several folks were saying when this all started that
> 1.0a was dead and I should not refer to it.
>
> I want to make sure the SASL mechanism is build to properly handle signed
> auth schemes and not just bearer (cookie) type.
>
> -bill
>
> From: Mike Jones <[email protected]>
> To: William Mills <[email protected]>; O Auth WG <[email protected]>
> Sent: Tuesday, August 14, 2012 12:28 PM
> Subject: RE: [OAUTH-WG] OAuth 1.0a
>
> What problem are you trying to solve?
>
> From: [email protected] [mailto:[email protected]] On Behalf Of
> William Mills
> Sent: Tuesday, August 14, 2012 12:22 PM
> To: O Auth WG
> Subject: [OAUTH-WG] OAuth 1.0a
>
> What's the general opinion on 1.0a? Am I stepping in something if I refer to
> it in another draft? I want to reference an auth scheme that uses signing
> and now MAC is apparently going back to the drawing board, so I'm thinking
> about using 1.0a.
>
> Thanks,
>
> -bill
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
