Has anyone gathered and reviewed use cases? I haven't seen much of that showing
up on the list. From my experience, asking people for use cases rarely works,
unless someone is willing to do the work and collect them (and so far I haven't
heard from such volunteer). I much prefer the process in
I read the minutes.
I don't need to be on the call to present my views on how to proceed. That's
not how the IETF operates. I have been expressing my views for the past year,
right here on the list. I didn't see any consensus call from the chairs about
taking this approach (instead of others).
I've started a wiki page here:
http://trac.tools.ietf.org/wg/oauth/trac/wiki/OauthFeatureMatrix
to pull in the features people think are important, and give us both
some way of collecting that data over time and expressing what's
present or missing from each protocol proposal. Despite being
On 2010-02-03, at 11:21 AM, Eran Hammer-Lahav wrote:
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, February 03, 2010 11:19 AM
To: Dick Hardt
Cc: OAuth WG
Subject: Re: [OAUTH-WG] proposed agenda for
On 2010-02-03, at 12:01 PM, Peter Saint-Andre wrote:
hat type='chair'/
On 2/3/10 12:46 PM, Dick Hardt wrote:
Wanting to discuss technical details when there does not seem to be
consensus on the problem we are solving was my Titanic reference.
Remember, these interim meetings are
Comments on draft-hammer-http-token-auth-01 (3 Feb 2010) after a quick read.
[http://tools.ietf.org/html/draft-hammer-http-token-auth-01]
The simple bearer token mode is still buried as an exception to the request
signing rules. This just isn’t necessary, it’s awful.
Choosing a hash
I disagree. Voiding a token to stop supporting an algorithm is
perfectly reasonable and might not even require user involvement if the
refresh mechanism is (adopted and) used. And if the reason for this is
a broken algorithm, well, I would hope the tokens are voided, not just
used with the
Just to be clear, I was referring to the case where a client can figure out how
to obtain authorization and then authenticate without any pre-configuration.
This means giving a discovery flow for each type of authorization option
(desktop, mobile, web, etc.) with all the parameters needed for
