Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Thu, 09 Aug 2012 12:23:04 -0700 

On 09/08/12 20:53, William Mills wrote:

MAC fixes the signing problems encountered in OAuth 1.0a, yes there are
libraries out there for OAuth 1.0a. MAC fits in to the OAuth 2 auth
model



I work on the framework which already supports MAC (with major thanks to 
a user contribution). I'm not too worried that MAC draft may not end up 
being a final specification - because OAuth2.0 allows for different 
token types and whatever MAC already offers can be 'packaged' as a 
custom token if really needed, moreover, experienced users may help to 
fix whatever bugs that still remain in the draft; I'm very new to this 
list and effort, but I think I can get that it offers a (symmetric) 
holder-of-key support - and as such it's good for the framework because 
there will be users which will like working with MAC.



Having said that, I'd really like to give some support to the idea of 
completing the draft - to minimize the proliferation of custom token 
types which may end up trying to solve the same problem



and will provide for a single codepath for sites that want to use
both Bearer and MAC.


+1

Sergey



------------------------------------------------------------------------
*From:* Dick Hardt <dick.ha...@gmail.com>
*To:* William Mills <wmills_92...@yahoo.com>
*Cc:* "oauth@ietf.org" <oauth@ietf.org>
*Sent:* Thursday, August 9, 2012 10:27 AM
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01


On Aug 9, 2012, at 9:52 AM, William Mills wrote:


I find the idea of starting from scratch frustrating. MAC solves a set
of specific problems and has a well defined use case. It's symmetric
key based which doesn't work for some folks, and the question is do we
try to develop something that supports both PK and SK, or finish the
SK use case and then work on a PK based draft.

I think it's better to leave them separate and finish out MAC which is
*VERY CLOSE* to being done.


Who is interested in MAC? People can use OAuth 1.0 if they prefer that
model.

For my projects, I prefer the flexibility of a signed or encrypted JWT
if I need holder of key.

Just my $.02

-- Dick





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





























					Reply via email to