If we want to get this done we have to get agreements on the requirements for HOK. Several meetings ago (quebec) the group indicated that mac wasn't appropriate to anyone's needs.
Some would argue that OAuth1 users arguably have less security than the simpler bearer token /tls model in OAuth2. This just shows the real issue of demonstrated need has not been properly defined and understood. More dialog on use cases is very helpful to moving HOK/MAC/etc forward. Phil On 2012-11-26, at 10:15, Sergey Beryozkin <[email protected]> wrote: > Hi > > What needs to be done to complete the MAC token spec ? Without having it > signed off it will be difficult to get people working with OAuth 1.0 > convinced to move to 2.0. > I'm seeing another user request for getting OAuth 1.0 support extended > further because the user expects it is more secure, and I guess because it is > proven to work for people, and I guess because many OAuth 1.0 users feel that > should stay from OAuth 2.0 because of some bad press. > > Without MAC being completed the division will continue, with even more > misleading anti-OAuth2 posts appearing (though I guess some of the better > posts point to some level of complexity in 2.0). > > Is it a matter of a security expert validating the text, fixing few typos, > and basically signing it off ? > > If someone is interested then I can provide the info offline on how it MAC > supported in our framework to get things tested easily and such... > > Cheers, Sergey > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
