The chairs sent a longer list of new items to consider. This does not replace 
that list but only focuses on the immediate next steps.

EHL

On Sep 30, 2010, at 8:38, "Torsten Lodderstedt" 
<tors...@lodderstedt.net<mailto:tors...@lodderstedt.net>> wrote:

Bassically, your suggestion sounds reasonable to me.

The only thing I'm missing is discovery. As you pointed out in 
<http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/>
 http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/ 
this is a major enabler for interoperable APIs and motivates the need for 
signatures. Shouldn't we consider discovery, too?

regards,
Torsten.

Am 29.09.2010 18:20, schrieb Eran Hammer-Lahav:
(This is a draft overview of our next steps. Clearly, this can change based on 
working group consensus.)

Proposal discussion

The working group is still discussing the compromise proposal for moving 
section 5 out of the specification. So far there is general support but some 
have raised concerns (I have not seen any strong objections yet). I am going to 
ask the chairs for an official consensus call on this on Friday. I will not 
publish another draft until we close this matter properly. While a consensus 
call does not end debate, it provides a useful tool to move forward and reduce 
the likelihood of future arguments.

Editorial work

I have been working on -11 and have applied all the feedback received so far. I 
am still working on the compromise structure of reintroducing the separate 
profiles into the document, but that is purely an editorial change. As soon as 
we resolve the issue around the document structure, I will finish the work and 
publish it. All the normative language changes are already “published” on my 
github account [1].

If the proposal is approved, I plan to remove my name from the bearer token 
specification and hand over that section to someone else. Selecting an editor 
is the sole discretion of the chairs, but if you are interested in taking over 
that document (which will include all of section 5 of the current draft, with a 
new introduction), please let the chairs know soon. I will get you off to a 
good start by providing the first draft with all the necessary parts ready for 
editing. I will also help as much as needed (my dislike for this document will 
not prevent me for offering as much support as requested).

Signature work

Mike and Dirk have been making good progress with their proposals, and I hope 
that we will soon have a single unified draft to work on. Once that is ready, 
the working group will need to decide if it wants to promote the proposal to a 
working group item, and if adopted, the chairs will need to pick an editor for 
that work (not me).

Assuming the signature proposal is going to keep its duplication of HTTP 
request elements, I plan to introduce an alternative proposal based on the 
OAuth 1.0a HMAC-SHA-1 method, my earlier token scheme proposal, and the recent 
proposal from draft -05. I do not plan to ask for this draft to become a 
working group item (I do plan to use this list for discussions though), but 
will have no objections if others ask. I have absolutely no desire to engage in 
any more working group debate around which of the two approaches is better. I 
will promote my ideas elsewhere and will let the market decide.

Additional documents

We have a few proposed I-D dealing with artifact binding, SAML assertions, 
token revocation, and others. These seems to be in good enough state to 
consider making them a working group item (a process started by the chairs but 
which seems stuck). I suggest that the authors make an official request to the 
chairs and get it done. My proposal is that any document that is ready for last 
call alongside the main working group specifications will be directly 
referenced in them.

Timeline

If the proposal is approved, I believe we can move to working group last call 
by the end of the year. To get there, we will need to complete at least two 
more round of review (i.e. get to a -13). I am not expecting any new normative 
changes (but don’t have any control over it either). This will require the 
completion and integration of the security consideration section in -12.

This means:

-11 – last round of normative changes, document split, reintroducing profiles 
(mid October)
-12 – security consideration section (early November)
-13 – last call document (early December)

To get the bearer token document ready for last call, someone will need to take 
over as editor as well as get the security consideration section done for that 
part. The two documents do not need to enter last call together, but it will 
probably be a useful thing to do. I do not see any other last call dependencies 
(such as a signature draft).

If we remain focused and move forward with the proposed compromise, we should 
be able to meet this timeline. Otherwise, I have seen nothing to suggest 
reaching last call for any document this year (but am always open to new 
proposals that have not been rejected or strongly opposed before).

Open Issues

With the pending publication of draft -11 I would like to ask everyone to treat 
it as a working group last call and raise any objections or issues they have. 
If anything in the document will cause you to raise objections to its 
publication, please share those as soon as possible. I hope to have a quick and 
quite review for -13, followed quickly by a working group last call.

Keep in mind that missing the these goals will mean February as the next likely 
timeline, given the historical lack of activity in December and January.

EHL

[1] <http://github.com/theRazorBlade/draft-ietf-oauth> 
http://github.com/theRazorBlade/draft-ietf-oauth



_______________________________________________
OAuth mailing list
<mailto:OAuth@ietf.org>OAuth@ietf.org<mailto:OAuth@ietf.org>
<https://www.ietf.org/mailman/listinfo/oauth>https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to