Re: [oauth] Is OAuth death?
Hi Steve, Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be sent to RFC Editor as of today. That means, it is essentially done. Nat On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott stev...@gmail.com wrote: Hi Hannes, Thanks for your answer - I can definitely understand the sentiments and of course as you mentioned before there is more than one side of the story and this absolutely isn't one person's decision! Also maybe official statements are not appropriate / possible but I would ask (and I think a lot of people would): 1. Will the IETF group complete the process and still finalize a full specification as forseen? (and in the timeframe forseen - I think the charter runs to 2013 if I'm not wrong. 2. Will there be any activity which takes on board / responds to some of the points made by Eran? (Note I'm not saying there is an obligation - just that it feels like some acknowledgement would make sense and a idea that the comments had been received and considered (or not)). You stated that Eran would disagree - which may be true of course, but I don't think this is a reason not to make statements. I guess what I'm trying to say above all is that people will be trying to make decisions about adoption and it would be helpful to have a forward looking statement from the IETF group as to where things are headed. Even if this is not at all in doubt for the group, it might be when seen from the outside. Don't know if that makes some kind of sense. steve. On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote: Hi Steven, I don't think there will be a formal response and here are the reasons: a) the press does not seem to be interested to spend time looking at details since otherwise they would have at least gotten more input prior to post their stories. They did, however, only copy text from Eran's blog post. b) Eran is not likely to agree with us regardless of what we write. He did not care about the views of others during the past few years either. c) Those who had worked on an implementation and deployed OAuth 2.0 do not need any formal response from us. They have already experienced OAuth 2.0 and they, as many posts confirm, do not find it complicated to implement nor to deploy. d) Those who are thinking about using OAuth 2.0 need to think what they are trying to accomplish. Those trying to write their own OAuth 2.0 library will have to read through the specification. There is no way around it. Application developers, who are just using OAuth, will have to think about their use case. For example, if you want to write an application that uses Facebook then you will have to look at their SDK. For all the others who are creating their own application deployment (like a site that offers access to a protected resource) I suggest to re-use one of the existing libraries (instead of implementing OAuth from scratch). For this group I doubt they are interested in any standardization related discussion. I hope that this makes sense to you. If you have any recommendations of what guidance developers would like to see I am sure we can put some information together. Ciao Hannes On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: Hi Hannes, Do you think there will some sort of (semi?)formal response from the IETF group? I can understand that they might not want to, but some of the points made seem salient, the problem is/will become what recommendations go out to people what to implement. We get that question very regularly from users, so we have our thinking caps on at the moment. steve. On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: Thanks for sharing your views, Steve. I agree with your statements below and it would indeed be strange if Eran gets to decide that a technology dies (that is already widely implemented and deployed). I would have liked to get the specification finished earlier myself and, funny enough, Eran is also responsible for the delay (although not the only person). On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: I certainly don't think it's dead - Eran makes some important points and the current 2.0 spec has certainly dragged a long time to get final. The biggest concern is fragmentation between implementations - the suggestion of using a concrete instantiation (e.g. Facebook) only take you so far. The IETF group is still a legitimate body, with a legitimate process - however given the nature of the criticisms and who they come from, I'd hope someone from that group steps forward and outlines a response and -- for the legitimate comments perhaps an evolutionary path. There are also some other potential efforts to monkey patch oAuth 1.0a - eg. see: http://news.ycombinator.com/item?id=4294959, but who knows where these will go. I wouldn't call oAuth dead - it's the best pattern we have for this
Re: [oauth] Is OAuth death?
Hi Nat, Yes, indeed - just saw that on twitter, after sending the below. That's good news - do you know what the expectation is for finalization? thanks and all the best, steve. On Aug 1, 2012, at 11:42 PM, Nat Sakimura wrote: Hi Steve, Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be sent to RFC Editor as of today. That means, it is essentially done. Nat On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott stev...@gmail.com wrote: Hi Hannes, Thanks for your answer - I can definitely understand the sentiments and of course as you mentioned before there is more than one side of the story and this absolutely isn't one person's decision! Also maybe official statements are not appropriate / possible but I would ask (and I think a lot of people would): 1. Will the IETF group complete the process and still finalize a full specification as forseen? (and in the timeframe forseen - I think the charter runs to 2013 if I'm not wrong. 2. Will there be any activity which takes on board / responds to some of the points made by Eran? (Note I'm not saying there is an obligation - just that it feels like some acknowledgement would make sense and a idea that the comments had been received and considered (or not)). You stated that Eran would disagree - which may be true of course, but I don't think this is a reason not to make statements. I guess what I'm trying to say above all is that people will be trying to make decisions about adoption and it would be helpful to have a forward looking statement from the IETF group as to where things are headed. Even if this is not at all in doubt for the group, it might be when seen from the outside. Don't know if that makes some kind of sense. steve. On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote: Hi Steven, I don't think there will be a formal response and here are the reasons: a) the press does not seem to be interested to spend time looking at details since otherwise they would have at least gotten more input prior to post their stories. They did, however, only copy text from Eran's blog post. b) Eran is not likely to agree with us regardless of what we write. He did not care about the views of others during the past few years either. c) Those who had worked on an implementation and deployed OAuth 2.0 do not need any formal response from us. They have already experienced OAuth 2.0 and they, as many posts confirm, do not find it complicated to implement nor to deploy. d) Those who are thinking about using OAuth 2.0 need to think what they are trying to accomplish. Those trying to write their own OAuth 2.0 library will have to read through the specification. There is no way around it. Application developers, who are just using OAuth, will have to think about their use case. For example, if you want to write an application that uses Facebook then you will have to look at their SDK. For all the others who are creating their own application deployment (like a site that offers access to a protected resource) I suggest to re-use one of the existing libraries (instead of implementing OAuth from scratch). For this group I doubt they are interested in any standardization related discussion. I hope that this makes sense to you. If you have any recommendations of what guidance developers would like to see I am sure we can put some information together. Ciao Hannes On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: Hi Hannes, Do you think there will some sort of (semi?)formal response from the IETF group? I can understand that they might not want to, but some of the points made seem salient, the problem is/will become what recommendations go out to people what to implement. We get that question very regularly from users, so we have our thinking caps on at the moment. steve. On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: Thanks for sharing your views, Steve. I agree with your statements below and it would indeed be strange if Eran gets to decide that a technology dies (that is already widely implemented and deployed). I would have liked to get the specification finished earlier myself and, funny enough, Eran is also responsible for the delay (although not the only person). On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: I certainly don't think it's dead - Eran makes some important points and the current 2.0 spec has certainly dragged a long time to get final. The biggest concern is fragmentation between implementations - the suggestion of using a concrete instantiation (e.g. Facebook) only take you so far. The IETF group is still a legitimate body, with a legitimate process - however given the nature of the criticisms and who they come from, I'd hope someone from that group steps forward
Re: [oauth] Is OAuth death?
There is one glitch to be sort out: the mime type for form encoding is not IANA registered. It should be registered by W3C. However, I expect it to be sort out pretty quickly. Hannes, do you have any comment? Nat On Thu, Aug 2, 2012 at 10:55 AM, Steven WIllmott stev...@gmail.com wrote: Hi Nat, Yes, indeed - just saw that on twitter, after sending the below. That's good news - do you know what the expectation is for finalization? thanks and all the best, steve. On Aug 1, 2012, at 11:42 PM, Nat Sakimura wrote: Hi Steve, Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be sent to RFC Editor as of today. That means, it is essentially done. Nat On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott stev...@gmail.com wrote: Hi Hannes, Thanks for your answer - I can definitely understand the sentiments and of course as you mentioned before there is more than one side of the story and this absolutely isn't one person's decision! Also maybe official statements are not appropriate / possible but I would ask (and I think a lot of people would): 1. Will the IETF group complete the process and still finalize a full specification as forseen? (and in the timeframe forseen - I think the charter runs to 2013 if I'm not wrong. 2. Will there be any activity which takes on board / responds to some of the points made by Eran? (Note I'm not saying there is an obligation - just that it feels like some acknowledgement would make sense and a idea that the comments had been received and considered (or not)). You stated that Eran would disagree - which may be true of course, but I don't think this is a reason not to make statements. I guess what I'm trying to say above all is that people will be trying to make decisions about adoption and it would be helpful to have a forward looking statement from the IETF group as to where things are headed. Even if this is not at all in doubt for the group, it might be when seen from the outside. Don't know if that makes some kind of sense. steve. On Aug 1, 2012, at 2:42 PM, Hannes Tschofenig wrote: Hi Steven, I don't think there will be a formal response and here are the reasons: a) the press does not seem to be interested to spend time looking at details since otherwise they would have at least gotten more input prior to post their stories. They did, however, only copy text from Eran's blog post. b) Eran is not likely to agree with us regardless of what we write. He did not care about the views of others during the past few years either. c) Those who had worked on an implementation and deployed OAuth 2.0 do not need any formal response from us. They have already experienced OAuth 2.0 and they, as many posts confirm, do not find it complicated to implement nor to deploy. d) Those who are thinking about using OAuth 2.0 need to think what they are trying to accomplish. Those trying to write their own OAuth 2.0 library will have to read through the specification. There is no way around it. Application developers, who are just using OAuth, will have to think about their use case. For example, if you want to write an application that uses Facebook then you will have to look at their SDK. For all the others who are creating their own application deployment (like a site that offers access to a protected resource) I suggest to re-use one of the existing libraries (instead of implementing OAuth from scratch). For this group I doubt they are interested in any standardization related discussion. I hope that this makes sense to you. If you have any recommendations of what guidance developers would like to see I am sure we can put some information together. Ciao Hannes On Jul 29, 2012, at 4:31 PM, Steven WIllmott wrote: Hi Hannes, Do you think there will some sort of (semi?)formal response from the IETF group? I can understand that they might not want to, but some of the points made seem salient, the problem is/will become what recommendations go out to people what to implement. We get that question very regularly from users, so we have our thinking caps on at the moment. steve. On Jul 29, 2012, at 2:59 PM, Hannes Tschofenig wrote: Thanks for sharing your views, Steve. I agree with your statements below and it would indeed be strange if Eran gets to decide that a technology dies (that is already widely implemented and deployed). I would have liked to get the specification finished earlier myself and, funny enough, Eran is also responsible for the delay (although not the only person). On Jul 29, 2012, at 2:38 PM, Steven WIllmott wrote: I certainly don't think it's dead - Eran makes some important points and the current 2.0 spec has certainly dragged a long time to get final. The biggest concern is fragmentation between implementations - the suggestion of using a concrete instantiation (e.g. Facebook) only take