I agree that HOK may be independent of MAC and should be a separate issue, as MAC does not solve my proof of possession for a HOK solution
From: [email protected] [mailto:[email protected]] On Behalf Of William Mills Sent: Monday, November 26, 2012 10:42 AM To: Phil Hunt; Sergey Beryozkin Cc: <[email protected]> Subject: Re: [OAUTH-WG] What needs to be done to complete MAC I object to tying MAC to HOK, I see them as independent and I frankly don't understand why folks insist that MAC can not proceed without a broader HOK spec. -bill ________________________________ From: Phil Hunt <[email protected]<mailto:[email protected]>> To: Sergey Beryozkin <[email protected]<mailto:[email protected]>> Cc: "<[email protected]<mailto:[email protected]>>" <[email protected]<mailto:[email protected]>> Sent: Monday, November 26, 2012 10:28 AM Subject: Re: [OAUTH-WG] What needs to be done to complete MAC If we want to get this done we have to get agreements on the requirements for HOK. Several meetings ago (quebec) the group indicated that mac wasn't appropriate to anyone's needs. Some would argue that OAuth1 users arguably have less security than the simpler bearer token /tls model in OAuth2. This just shows the real issue of demonstrated need has not been properly defined and understood. More dialog on use cases is very helpful to moving HOK/MAC/etc forward. Phil On 2012-11-26, at 10:15, Sergey Beryozkin <[email protected]<mailto:[email protected]>> wrote: > Hi > > What needs to be done to complete the MAC token spec ? Without having it > signed off it will be difficult to get people working with OAuth 1.0 > convinced to move to 2.0. > I'm seeing another user request for getting OAuth 1.0 support extended > further because the user expects it is more secure, and I guess because it is > proven to work for people, and I guess because many OAuth 1.0 users feel that > should stay from OAuth 2.0 because of some bad press. > > Without MAC being completed the division will continue, with even more > misleading anti-OAuth2 posts appearing (though I guess some of the better > posts point to some level of complexity in 2.0). > > Is it a matter of a security expert validating the text, fixing few typos, > and basically signing it off ? > > If someone is interested then I can provide the info offline on how it MAC > supported in our framework to get things tested easily and such... > > Cheers, Sergey > > _______________________________________________ > OAuth mailing list > [email protected]<mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
