date:20140911

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Tirumaleswar Reddy (tireddy)

And me.

-Tiru

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Antonio Sanso
Sent: Friday, September 12, 2014 12:20 PM
To: Gil Kirkpatrick
Cc: Derek Atkins; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

I would like to attend as well ...

regards

antonio

On Sep 12, 2014, at 3:00 AM, Gil Kirkpatrick 
mailto:gil.kirkpatr...@viewds.com>> wrote:

+1 for me.

-- Original Message --
From: "John Bradley" mailto:ve7...@ve7jtb.com>>
To: "Nat Sakimura" mailto:sakim...@gmail.com>>
Cc: "Derek Atkins" mailto:de...@ihtfp.com>>; 
"oauth@ietf.org" mailto:oauth@ietf.org>>
Sent: 12/09/2014 9:30:50 AM
Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

And me

Sent from my iPhone

On Sep 11, 2014, at 7:49 PM, Nat Sakimura 
mailto:sakim...@gmail.com>> wrote:
Add me, too.

2014-09-12 7:32 GMT+09:00 Anthony Nadalin 
mailto:tony...@microsoft.com>>:
Add me

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Hannes Tschofenig
Sent: Thursday, September 11, 2014 3:30 PM
To: oauth@ietf.org
Cc: Derek Atkins
Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Hi all,

at the last IETF meeting Mike gave a presentation about the 
draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was to 
discuss the problems that happen when OAuth gets used for authentication.

The goal of this effort is to document the problems in an informational 
document.

Conference calls could start in about 2 weeks and we would like to know who 
would be interested to participate in such a discussion.

Please drop us a private mail so that we can find suitable dates/times.

Ciao
Hannes & Derek
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Antonio Sanso

I would like to attend as well …

regards

antonio

On Sep 12, 2014, at 3:00 AM, Gil Kirkpatrick 
mailto:gil.kirkpatr...@viewds.com>> wrote:

+1 for me.

-- Original Message --
From: "John Bradley" mailto:ve7...@ve7jtb.com>>
To: "Nat Sakimura" mailto:sakim...@gmail.com>>
Cc: "Derek Atkins" mailto:de...@ihtfp.com>>; 
"oauth@ietf.org" mailto:oauth@ietf.org>>
Sent: 12/09/2014 9:30:50 AM
Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

And me

Sent from my iPhone

On Sep 11, 2014, at 7:49 PM, Nat Sakimura 
mailto:sakim...@gmail.com>> wrote:

Add me, too.

2014-09-12 7:32 GMT+09:00 Anthony Nadalin 
mailto:tony...@microsoft.com>>:
Add me

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Hannes Tschofenig
Sent: Thursday, September 11, 2014 3:30 PM
To: oauth@ietf.org
Cc: Derek Atkins
Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Hi all,

at the last IETF meeting Mike gave a presentation about the 
draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was to 
discuss the problems that happen when OAuth gets used for authentication.

The goal of this effort is to document the problems in an informational 
document.

Conference calls could start in about 2 weeks and we would like to know who 
would be interested to participate in such a discussion.

Please drop us a private mail so that we can find suitable dates/times.

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Gil Kirkpatrick

+1 for me.

-- Original Message --
From: "John Bradley" 
To: "Nat Sakimura" 
Cc: "Derek Atkins" ; "oauth@ietf.org" 
Sent: 12/09/2014 9:30:50 AM
Subject: Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

And me

Sent from my iPhone

On Sep 11, 2014, at 7:49 PM, Nat Sakimura  wrote:

Add me, too.

2014-09-12 7:32 GMT+09:00 Anthony Nadalin :

Add me

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes 
Tschofenig

Sent: Thursday, September 11, 2014 3:30 PM
To: oauth@ietf.org
Cc: Derek Atkins
Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Hi all,

at the last IETF meeting Mike gave a presentation about the 
draft-hunt-oauth-v2-user-a4c and the conclusion following the 
discussion was to discuss the problems that happen when OAuth gets 
used for authentication.

The goal of this effort is to document the problems in an 
informational document.

Conference calls could start in about 2 weeks and we would like to 
know who would be interested to participate in such a discussion.

Please drop us a private mail so that we can find suitable 
dates/times.

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread John Bradley

And me 

Sent from my iPhone

> On Sep 11, 2014, at 7:49 PM, Nat Sakimura  wrote:
> 
> Add me, too. 
> 
> 2014-09-12 7:32 GMT+09:00 Anthony Nadalin :
>> Add me
>> 
>> -Original Message-
>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
>> Sent: Thursday, September 11, 2014 3:30 PM
>> To: oauth@ietf.org
>> Cc: Derek Atkins
>> Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?
>> 
>> Hi all,
>> 
>> at the last IETF meeting Mike gave a presentation about the 
>> draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was 
>> to discuss the problems that happen when OAuth gets used for authentication.
>> 
>> The goal of this effort is to document the problems in an informational 
>> document.
>> 
>> Conference calls could start in about 2 weeks and we would like to know who 
>> would be interested to participate in such a discussion.
>> 
>> Please drop us a private mail so that we can find suitable dates/times.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Maciej Machulak

+1

-- 
Cheers, Maciej (sent from my tablet)
On Sep 11, 2014 5:07 PM, "Phil Hunt"  wrote:

> +1. Experimental seems best here.
>
> Phil
>
> > On Sep 11, 2014, at 9:03, "Richer, Justin P."  wrote:
> >
> > +1
> >
> > That was the key line that I took from the guidelines as well and this
> was my understanding of the discussion in Toronto.
> >
> > -- Justin
> >
> >> On Sep 11, 2014, at 12:02 PM, John Bradley  wrote:
> >>
> >> I think this fits.
> >>
> >>• If the IETF may publish something based on this on the standards
> track once we know how well this one works, it's Experimental. This is the
> typical case of not being able to decide which protocol is "better" before
> we have experience of dealing with them from a stable specification. Case
> in point: "PGM Reliable Transport Protocol Specification" (RFC 3208)
> >>
> >> If we publish something it may or may not look like the current spec
> but getting some experience with the current spec will inform that decision.
> >>
> >> John B.
> >>> On Sep 11, 2014, at 12:55 PM, Phil Hunt  wrote:
> >>>
> >>> Interesting. The definitions in that don't correspond with what ADs
> and other groups are doing.
> >>>
> >>> I heard httpbis using experimental as a placeholder for a draft that
> didn't have full consensus to bring back later.
> >>>
> >>> That was the feel I had in Toronto-that we weren't done but it was
> time to publish something.
> >>>
> >>> Reading the actual definition i would say neither fits. Ugh.
> >>>
> >>> Phil
> >>>
>  On Sep 11, 2014, at 8:01, "Richer, Justin P." 
> wrote:
> 
>  According to the guidelines here:
> 
>  https://www.ietf.org/iesg/informational-vs-experimental.html
> 
>  And the discussion in Toronto, it's clearly experimental.
> 
>  -- Justin
> 
> > On Sep 11, 2014, at 10:36 AM, Anthony Nadalin 
> wrote:
> >
> > Is "experimental" the correct classification? Maybe "informational"
> is more appropriate as both of these were discussed.
> >
> > -Original Message-
> > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes
> Tschofenig
> > Sent: Wednesday, September 10, 2014 4:50 PM
> > To: oauth@ietf.org
> > Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol:
> Next Steps?
> >
> > Hi all,
> >
> > in response to the discussions at the last IETF meeting the authors
> of the "Dynamic Client Registration Management Protocol"
> > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05
> have changed the document type to "Experimental".
> >
> > We need to make a decision about the next steps for the document and
> we see the following options:
> >
> > a) Publish it as an experimental RFC
> >
> > b) Remove it from the working group and ask an AD to shepherd it
> >
> > c) Remove it from the working group and let the authors publish it
> via the independent submission track.
> >
> > In any case it would be nice to let folks play around with it and
> then, after some time, come back to determine whether there is enough
> interest to produce a standard.
> >
> > Please let us know what you think!
> >
> > Ciao
> > Hannes & Derek
> >
> >
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
>  ___
>  OAuth mailing list
>  OAuth@ietf.org
>  https://www.ietf.org/mailman/listinfo/oauth
> >>>
> >>> ___
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Phil Hunt

Me too. 

Phil

> On Sep 11, 2014, at 15:49, Nat Sakimura  wrote:
> 
> Add me, too. 
> 
> 2014-09-12 7:32 GMT+09:00 Anthony Nadalin :
>> Add me
>> 
>> -Original Message-
>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
>> Sent: Thursday, September 11, 2014 3:30 PM
>> To: oauth@ietf.org
>> Cc: Derek Atkins
>> Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?
>> 
>> Hi all,
>> 
>> at the last IETF meeting Mike gave a presentation about the 
>> draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was 
>> to discuss the problems that happen when OAuth gets used for authentication.
>> 
>> The goal of this effort is to document the problems in an informational 
>> document.
>> 
>> Conference calls could start in about 2 weeks and we would like to know who 
>> would be interested to participate in such a discussion.
>> 
>> Please drop us a private mail so that we can find suitable dates/times.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Nat Sakimura

Add me, too.

2014-09-12 7:32 GMT+09:00 Anthony Nadalin :

> Add me
>
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, September 11, 2014 3:30 PM
> To: oauth@ietf.org
> Cc: Derek Atkins
> Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?
>
> Hi all,
>
> at the last IETF meeting Mike gave a presentation about the
> draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion
> was to discuss the problems that happen when OAuth gets used for
> authentication.
>
> The goal of this effort is to document the problems in an informational
> document.
>
> Conference calls could start in about 2 weeks and we would like to know
> who would be interested to participate in such a discussion.
>
> Please drop us a private mail so that we can find suitable dates/times.
>
> Ciao
> Hannes & Derek
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

2014-09-11 Thread Hannes Tschofenig

Hi John,

don't misunderstand me: I am not planning to use our valuable OAuth WG
time to go through the claims and to discuss them.

Instead, I would like to point your attention to this IPR, to evaluate
it within your company (with whatever fancy process you have), and to
tell me at the upcoming IETF meeting whether there are concerns.

Other IPR announcements have arrived before we finished the work on them
and so it was a bit easier to take actions. We had that case a few times
in the group. So far, there have not been concerns with any of the IPR
declarations and we just continued our work as planned.

Ciao
Hannes

On 09/12/2014 12:26 AM, John Bradley wrote:
> Some large number of us would be roasted by our legal departments if we 
> looked at a patent.
> 
> Discussing the specifics of patents is not appropriate for a WG meeting.
> 
> Someone from  the IETF should look at the issue but not me.
> 
> John B.
> 
> On Sep 11, 2014, at 7:22 PM, Hannes Tschofenig  
> wrote:
> 
>> Hi all,
>>
>> in private messages I have gotten questions about this IPR announcement
>> received in March 2014 and the potential implications on the core OAuth
>> 2.0 protocol. I was thinking about putting it on the agenda for the next
>> IETF meeting.
>>
>> The feedback I am hoping to get is whether there is a concern about this
>> IPR from those who have products and services based on OAuth.
>>
>> I want to know whether you see problems or not. If you have problems,
>> maybe there are ways to engineer around it.
>>
>> Ciao
>> Hannes
>>
>> PS: If someone has time to review the state of the art in 2009 I would
>> also like to chat with you.
>>
>>  Forwarded Message 
>> Subject: IPR Disclosure: Nokia Corporation's Statement about IPR related
>> to RFC 6749
>> Date: Fri, 28 Mar 2014 07:33:05 -0700
>> From: IETF Secretariat 
>> To: dick.ha...@gmail.com
>> CC: stephen.farr...@cs.tcd.ie, kathleen.moriarty.i...@gmail.com,
>> hannes.tschofe...@gmx.net, de...@ihtfp.com, oauth@ietf.org,
>> ipr-annou...@ietf.org
>>
>>
>> Dear Dick Hardt:
>>
>> An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0
>> Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on
>> 2014-03-28 and has been posted on the "IETF Page of Intellectual
>> Property Rights
>> Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of the IPR
>> disclosure is "Nokia Corporation's Statement about IPR related to RFC
>> 6749."");
>>
>> The IETF Secretariat
>>
>>
>>
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

2014-09-11 Thread Hannes Tschofenig

Hi Mike,

as I wrote in my mail below, I am looking for feedback whether the IPR
is a concern to companies.

I am not asking for a patent assessment.

Ciao
Hannes

On 09/12/2014 12:26 AM, Mike Jones wrote:
> You should not bring this to the working group, other than making people 
> aware that the disclosure exists (which you've already done).  I know that I 
> will leave the room if the contents of a patent are discussed and I will 
> encourage others to likewise do so.
> 
> Engineers should not evaluate patents.  If a person wants a legal opinion on 
> the disclosure, they should privately consult their legal counsel.
> 
>   -- Mike
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, September 11, 2014 3:23 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about 
> IPR related to RFC 6749
> 
> Hi all,
> 
> in private messages I have gotten questions about this IPR announcement 
> received in March 2014 and the potential implications on the core OAuth
> 2.0 protocol. I was thinking about putting it on the agenda for the next IETF 
> meeting.
> 
> The feedback I am hoping to get is whether there is a concern about this IPR 
> from those who have products and services based on OAuth.
> 
> I want to know whether you see problems or not. If you have problems, maybe 
> there are ways to engineer around it.
> 
> Ciao
> Hannes
> 
> PS: If someone has time to review the state of the art in 2009 I would also 
> like to chat with you.
> 
>  Forwarded Message 
> Subject: IPR Disclosure: Nokia Corporation's Statement about IPR related to 
> RFC 6749
> Date: Fri, 28 Mar 2014 07:33:05 -0700
> From: IETF Secretariat 
> To: dick.ha...@gmail.com
> CC: stephen.farr...@cs.tcd.ie, kathleen.moriarty.i...@gmail.com, 
> hannes.tschofe...@gmx.net, de...@ihtfp.com, oauth@ietf.org, 
> ipr-annou...@ietf.org
> 
> 
> Dear Dick Hardt:
> 
>  An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0 
> Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on
> 2014-03-28 and has been posted on the "IETF Page of Intellectual Property 
> Rights Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of 
> the IPR disclosure is "Nokia Corporation's Statement about IPR related to RFC 
> 6749."");
> 
> The IETF Secretariat
> 
> 
> 
> 
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Anthony Nadalin

Add me

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, September 11, 2014 3:30 PM
To: oauth@ietf.org
Cc: Derek Atkins
Subject: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Hi all,

at the last IETF meeting Mike gave a presentation about the 
draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion was to 
discuss the problems that happen when OAuth gets used for authentication.

The goal of this effort is to document the problems in an informational 
document.

Conference calls could start in about 2 weeks and we would like to know who 
would be interested to participate in such a discussion.

Please drop us a private mail so that we can find suitable dates/times.

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] OAuth & Authentication: What can go wrong?

2014-09-11 Thread Hannes Tschofenig

Hi all,

at the last IETF meeting Mike gave a presentation about the
draft-hunt-oauth-v2-user-a4c and the conclusion following the discussion
was to discuss the problems that happen when OAuth gets used for
authentication.

The goal of this effort is to document the problems in an informational
document.

Conference calls could start in about 2 weeks and we would like to know
who would be interested to participate in such a discussion.

Please drop us a private mail so that we can find suitable dates/times.

Ciao
Hannes & Derek



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

2014-09-11 Thread Mike Jones

You should not bring this to the working group, other than making people aware 
that the disclosure exists (which you've already done).  I know that I will 
leave the room if the contents of a patent are discussed and I will encourage 
others to likewise do so.

Engineers should not evaluate patents.  If a person wants a legal opinion on 
the disclosure, they should privately consult their legal counsel.

-- Mike

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, September 11, 2014 3:23 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about 
IPR related to RFC 6749

Hi all,

in private messages I have gotten questions about this IPR announcement 
received in March 2014 and the potential implications on the core OAuth
2.0 protocol. I was thinking about putting it on the agenda for the next IETF 
meeting.

The feedback I am hoping to get is whether there is a concern about this IPR 
from those who have products and services based on OAuth.

I want to know whether you see problems or not. If you have problems, maybe 
there are ways to engineer around it.

Ciao
Hannes

PS: If someone has time to review the state of the art in 2009 I would also 
like to chat with you.

 Forwarded Message 
Subject: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 
6749
Date: Fri, 28 Mar 2014 07:33:05 -0700
From: IETF Secretariat 
To: dick.ha...@gmail.com
CC: stephen.farr...@cs.tcd.ie, kathleen.moriarty.i...@gmail.com, 
hannes.tschofe...@gmx.net, de...@ihtfp.com, oauth@ietf.org, 
ipr-annou...@ietf.org


Dear Dick Hardt:

 An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0 
Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on
2014-03-28 and has been posted on the "IETF Page of Intellectual Property 
Rights Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of the 
IPR disclosure is "Nokia Corporation's Statement about IPR related to RFC 
6749."");

The IETF Secretariat





___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

2014-09-11 Thread John Bradley

Some large number of us would be roasted by our legal departments if we looked 
at a patent.

Discussing the specifics of patents is not appropriate for a WG meeting.

Someone from  the IETF should look at the issue but not me.

John B.

On Sep 11, 2014, at 7:22 PM, Hannes Tschofenig  
wrote:

> Hi all,
> 
> in private messages I have gotten questions about this IPR announcement
> received in March 2014 and the potential implications on the core OAuth
> 2.0 protocol. I was thinking about putting it on the agenda for the next
> IETF meeting.
> 
> The feedback I am hoping to get is whether there is a concern about this
> IPR from those who have products and services based on OAuth.
> 
> I want to know whether you see problems or not. If you have problems,
> maybe there are ways to engineer around it.
> 
> Ciao
> Hannes
> 
> PS: If someone has time to review the state of the art in 2009 I would
> also like to chat with you.
> 
>  Forwarded Message 
> Subject: IPR Disclosure: Nokia Corporation's Statement about IPR related
> to RFC 6749
> Date: Fri, 28 Mar 2014 07:33:05 -0700
> From: IETF Secretariat 
> To: dick.ha...@gmail.com
> CC: stephen.farr...@cs.tcd.ie, kathleen.moriarty.i...@gmail.com,
> hannes.tschofe...@gmx.net, de...@ihtfp.com, oauth@ietf.org,
> ipr-annou...@ietf.org
> 
> 
> Dear Dick Hardt:
> 
> An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0
> Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on
> 2014-03-28 and has been posted on the "IETF Page of Intellectual
> Property Rights
> Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of the IPR
> disclosure is "Nokia Corporation's Statement about IPR related to RFC
> 6749."");
> 
> The IETF Secretariat
> 
> 
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

2014-09-11 Thread Hannes Tschofenig

Hi all,

in private messages I have gotten questions about this IPR announcement
received in March 2014 and the potential implications on the core OAuth
2.0 protocol. I was thinking about putting it on the agenda for the next
IETF meeting.

The feedback I am hoping to get is whether there is a concern about this
IPR from those who have products and services based on OAuth.

I want to know whether you see problems or not. If you have problems,
maybe there are ways to engineer around it.

Ciao
Hannes

PS: If someone has time to review the state of the art in 2009 I would
also like to chat with you.

 Forwarded Message 
Subject: IPR Disclosure: Nokia Corporation's Statement about IPR related
to RFC 6749
Date: Fri, 28 Mar 2014 07:33:05 -0700
From: IETF Secretariat 
To: dick.ha...@gmail.com
CC: stephen.farr...@cs.tcd.ie, kathleen.moriarty.i...@gmail.com,
hannes.tschofe...@gmx.net, de...@ihtfp.com, oauth@ietf.org,
ipr-annou...@ietf.org


Dear Dick Hardt:

 An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0
Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on
2014-03-28 and has been posted on the "IETF Page of Intellectual
Property Rights
Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of the IPR
disclosure is "Nokia Corporation's Statement about IPR related to RFC
6749."");

The IETF Secretariat







signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)

2014-09-11 Thread Brian Campbell

Why does expiration only apply to the client secret[1]? If there's a need
for the AS to set an expiration, isn't it broader than that and apply to
the whole client or the client id? If there's a need to signal an
expiration time on the client secret, doesn't it follow that the client's
JSON Web Key Set (the jwks parameter) might also need to be expired? And
what about strictly implicit clients or other public clients, is there no
case that an AS would want to expire them?

I realize I've asked this before (more than once) but I've never gotten an
answer. To me, whats in this draft that's on its way to the IESG is awkward
and/or incomplete.

I believe that either the client_secret_expires_at should be removed from
draft-ietf-oauth-dyn-reg or it should be changed to something that isn't
specific to the client secret - something like client_expires_at or
client_id_expires_at.

[1] client_secret_expires_at in
https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-20#section-4.1

On Wed, Sep 10, 2014 at 5:50 PM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Hi all,
>
> I have just sent the Dynamic Client Registration document to the IESG.
> The final shepherd write-up for the document can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/shepherdwriteup/
>
> Ciao
> Hannes
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

2014-09-11 Thread Hannes Tschofenig

Hi Rex,

On 09/11/2014 10:15 AM, Rex Albert wrote:
> Hi Hannes,
> thank you very much for the response and it is very useful to have such
> detailed information. thank you again for that. 
> I am now reading about PoP and it is very interesting and also seeing
> HTTP signature as well. 

Thanks for looking at the document. Please provide comments, if you run
into questions or bugs.


> Our requirement in short - to achieve seamless authentication and
> authorization among HTTP - REST based web services within a protected
> network with a secure channel for communication, without human
> intervention and without compromise on the time taken to process each
> request. 

I think we are getting there.

> Kindly let me know if you need further details . 

Particuarly for the HTTP signature approach we need input since it is
still not close to getting finalized.


It would also be great if you also have some possibility to provide
implementation feedback.

> thanks again
> -rex
> 
Ciao
Hannes

> On Wed, Sep 10, 2014 at 9:26 PM, Hannes Tschofenig
> mailto:hannes.tschofe...@gmx.net>> wrote:
> 
> Hi Rex,
> 
> the document  has been superseded by
> the PoP work (which was subsequently split into various other
> documents).
> 
> That, however, does not mean that the content is dead. The mechanism for
> the authorization server to convey the symmetric key to the client is
> now documented in . The high
> level description / overview is now documented in
> . The actual mechanism for the client
> to apply the key to the request to the resource server is now documented
> in .
> 
> While < draft-ietf-oauth-signed-http-request> today is different to the
> mechanism described in  it also has to
> be said that it is the weakest document in the entire document set at
> the moment.
> 
> So, there is still a chance to incorporate your design requirements into
> the appropriate parts of the work since the work is still in progress.
> 
> It would be good to know what your requirements/interests are.
> 
> Ciao
> Hannes
> 
> 
> On 09/10/2014 11:49 AM, Sergey Beryozkin wrote:
> > Hi
> > On 10/09/14 09:57, Rex Albert wrote:
> >>
> >>
> >> Hi,
> >> We are looking at implementing OAUTHV2-HTTP-MAC whose draft is in an
> >> expired
> >>
> state.(http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05)  Is
> >> it dead or is it going to be a standard anytime? or are we going to
> >> implement at our own risk? or is there a better standard/draft (
> alive )
> >> which might supersede this draft ?
> >
> > It's not going to be revived. Does not mean though one can not use the
> > idea for implementing custom OAuth2 token schemes, IMHO it was a very
> > simple and effective 'PoP' approach, and it is easy to document and
> > support. FYI, we support a Hawk scheme (not part of OAuth2 work at
> all,
> > kind of 'draft-ietf-oauth-v2-http-mac-06') as an access token
> scheme in
> > our project.
> >
> > As far as I understand new proof-of-possession documents the group is
> > working upon will offer the alternative standard solutions.
> >
> > Cheers, Sergey
> >
> >>
> >> thank you for your time.
> >> I am a newbie to the IETF draft process and kindly excuse my naivety.
> >> -rex
> >>
> >>
> >>
> >> ___
> >> OAuth mailing list
> >> OAuth@ietf.org 
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org 
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Hannes Tschofenig

I also looked at
https://www.ietf.org/iesg/informational-vs-experimental.html and I got
the impression that an Experimental RFC would be the right category.

Ciao
Hannes

On 09/11/2014 06:03 PM, Richer, Justin P. wrote:
> +1 
> 
> That was the key line that I took from the guidelines as well and this was my 
> understanding of the discussion in Toronto.
> 
>  -- Justin
> 
> On Sep 11, 2014, at 12:02 PM, John Bradley  wrote:
> 
>> I think this fits.
>>
>>  • If the IETF may publish something based on this on the standards 
>> track once we know how well this one works, it's Experimental. This is the 
>> typical case of not being able to decide which protocol is "better" before 
>> we have experience of dealing with them from a stable specification. Case in 
>> point: "PGM Reliable Transport Protocol Specification" (RFC 3208)
>>
>> If we publish something it may or may not look like the current spec but 
>> getting some experience with the current spec will inform that decision. 
>>
>> John B.
>> On Sep 11, 2014, at 12:55 PM, Phil Hunt  wrote:
>>
>>> Interesting. The definitions in that don't correspond with what ADs and 
>>> other groups are doing. 
>>>
>>> I heard httpbis using experimental as a placeholder for a draft that didn't 
>>> have full consensus to bring back later. 
>>>
>>> That was the feel I had in Toronto-that we weren't done but it was time to 
>>> publish something. 
>>>
>>> Reading the actual definition i would say neither fits. Ugh. 
>>>
>>> Phil
>>>
 On Sep 11, 2014, at 8:01, "Richer, Justin P."  wrote:

 According to the guidelines here:

 https://www.ietf.org/iesg/informational-vs-experimental.html

 And the discussion in Toronto, it's clearly experimental.

 -- Justin

> On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  
> wrote:
>
> Is "experimental" the correct classification? Maybe "informational" is 
> more appropriate as both of these were discussed. 
>
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, September 10, 2014 4:50 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
> Steps?
>
> Hi all,
>
> in response to the discussions at the last IETF meeting the authors of 
> the "Dynamic Client Registration Management Protocol"
> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
> changed the document type to "Experimental".
>
> We need to make a decision about the next steps for the document and we 
> see the following options:
>
> a) Publish it as an experimental RFC
>
> b) Remove it from the working group and ask an AD to shepherd it
>
> c) Remove it from the working group and let the authors publish it via 
> the independent submission track.
>
> In any case it would be nice to let folks play around with it and then, 
> after some time, come back to determine whether there is enough interest 
> to produce a standard.
>
> Please let us know what you think!
>
> Ciao
> Hannes & Derek
>
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Phil Hunt

+1. Experimental seems best here. 

Phil

> On Sep 11, 2014, at 9:03, "Richer, Justin P."  wrote:
> 
> +1 
> 
> That was the key line that I took from the guidelines as well and this was my 
> understanding of the discussion in Toronto.
> 
> -- Justin
> 
>> On Sep 11, 2014, at 12:02 PM, John Bradley  wrote:
>> 
>> I think this fits.
>> 
>>• If the IETF may publish something based on this on the standards track 
>> once we know how well this one works, it's Experimental. This is the typical 
>> case of not being able to decide which protocol is "better" before we have 
>> experience of dealing with them from a stable specification. Case in point: 
>> "PGM Reliable Transport Protocol Specification" (RFC 3208)
>> 
>> If we publish something it may or may not look like the current spec but 
>> getting some experience with the current spec will inform that decision. 
>> 
>> John B.
>>> On Sep 11, 2014, at 12:55 PM, Phil Hunt  wrote:
>>> 
>>> Interesting. The definitions in that don't correspond with what ADs and 
>>> other groups are doing. 
>>> 
>>> I heard httpbis using experimental as a placeholder for a draft that didn't 
>>> have full consensus to bring back later. 
>>> 
>>> That was the feel I had in Toronto-that we weren't done but it was time to 
>>> publish something. 
>>> 
>>> Reading the actual definition i would say neither fits. Ugh. 
>>> 
>>> Phil
>>> 
 On Sep 11, 2014, at 8:01, "Richer, Justin P."  wrote:
 
 According to the guidelines here:
 
 https://www.ietf.org/iesg/informational-vs-experimental.html
 
 And the discussion in Toronto, it's clearly experimental.
 
 -- Justin
 
> On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  
> wrote:
> 
> Is "experimental" the correct classification? Maybe "informational" is 
> more appropriate as both of these were discussed. 
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, September 10, 2014 4:50 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
> Steps?
> 
> Hi all,
> 
> in response to the discussions at the last IETF meeting the authors of 
> the "Dynamic Client Registration Management Protocol"
> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
> changed the document type to "Experimental".
> 
> We need to make a decision about the next steps for the document and we 
> see the following options:
> 
> a) Publish it as an experimental RFC
> 
> b) Remove it from the working group and ask an AD to shepherd it
> 
> c) Remove it from the working group and let the authors publish it via 
> the independent submission track.
> 
> In any case it would be nice to let folks play around with it and then, 
> after some time, come back to determine whether there is enough interest 
> to produce a standard.
> 
> Please let us know what you think!
> 
> Ciao
> Hannes & Derek
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
 
 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Richer, Justin P.

+1 

That was the key line that I took from the guidelines as well and this was my 
understanding of the discussion in Toronto.

 -- Justin

On Sep 11, 2014, at 12:02 PM, John Bradley  wrote:

> I think this fits.
> 
>   • If the IETF may publish something based on this on the standards 
> track once we know how well this one works, it's Experimental. This is the 
> typical case of not being able to decide which protocol is "better" before we 
> have experience of dealing with them from a stable specification. Case in 
> point: "PGM Reliable Transport Protocol Specification" (RFC 3208)
> 
> If we publish something it may or may not look like the current spec but 
> getting some experience with the current spec will inform that decision. 
> 
> John B.
> On Sep 11, 2014, at 12:55 PM, Phil Hunt  wrote:
> 
>> Interesting. The definitions in that don't correspond with what ADs and 
>> other groups are doing. 
>> 
>> I heard httpbis using experimental as a placeholder for a draft that didn't 
>> have full consensus to bring back later. 
>> 
>> That was the feel I had in Toronto-that we weren't done but it was time to 
>> publish something. 
>> 
>> Reading the actual definition i would say neither fits. Ugh. 
>> 
>> Phil
>> 
>>> On Sep 11, 2014, at 8:01, "Richer, Justin P."  wrote:
>>> 
>>> According to the guidelines here:
>>> 
>>> https://www.ietf.org/iesg/informational-vs-experimental.html
>>> 
>>> And the discussion in Toronto, it's clearly experimental.
>>> 
>>> -- Justin
>>> 
 On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  
 wrote:
 
 Is "experimental" the correct classification? Maybe "informational" is 
 more appropriate as both of these were discussed. 
 
 -Original Message-
 From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
 Sent: Wednesday, September 10, 2014 4:50 PM
 To: oauth@ietf.org
 Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
 Steps?
 
 Hi all,
 
 in response to the discussions at the last IETF meeting the authors of the 
 "Dynamic Client Registration Management Protocol"
 http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
 changed the document type to "Experimental".
 
 We need to make a decision about the next steps for the document and we 
 see the following options:
 
 a) Publish it as an experimental RFC
 
 b) Remove it from the working group and ask an AD to shepherd it
 
 c) Remove it from the working group and let the authors publish it via the 
 independent submission track.
 
 In any case it would be nice to let folks play around with it and then, 
 after some time, come back to determine whether there is enough interest 
 to produce a standard.
 
 Please let us know what you think!
 
 Ciao
 Hannes & Derek
 
 
 
 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread John Bradley

I think this fits.

• If the IETF may publish something based on this on the standards 
track once we know how well this one works, it's Experimental. This is the 
typical case of not being able to decide which protocol is "better" before we 
have experience of dealing with them from a stable specification. Case in 
point: "PGM Reliable Transport Protocol Specification" (RFC 3208)

If we publish something it may or may not look like the current spec but 
getting some experience with the current spec will inform that decision. 

John B.
On Sep 11, 2014, at 12:55 PM, Phil Hunt  wrote:

> Interesting. The definitions in that don't correspond with what ADs and other 
> groups are doing. 
> 
> I heard httpbis using experimental as a placeholder for a draft that didn't 
> have full consensus to bring back later. 
> 
> That was the feel I had in Toronto-that we weren't done but it was time to 
> publish something. 
> 
> Reading the actual definition i would say neither fits. Ugh. 
> 
> Phil
> 
>> On Sep 11, 2014, at 8:01, "Richer, Justin P."  wrote:
>> 
>> According to the guidelines here:
>> 
>> https://www.ietf.org/iesg/informational-vs-experimental.html
>> 
>> And the discussion in Toronto, it's clearly experimental.
>> 
>> -- Justin
>> 
>>> On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  wrote:
>>> 
>>> Is "experimental" the correct classification? Maybe "informational" is more 
>>> appropriate as both of these were discussed. 
>>> 
>>> -Original Message-
>>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
>>> Sent: Wednesday, September 10, 2014 4:50 PM
>>> To: oauth@ietf.org
>>> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
>>> Steps?
>>> 
>>> Hi all,
>>> 
>>> in response to the discussions at the last IETF meeting the authors of the 
>>> "Dynamic Client Registration Management Protocol"
>>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
>>> changed the document type to "Experimental".
>>> 
>>> We need to make a decision about the next steps for the document and we see 
>>> the following options:
>>> 
>>> a) Publish it as an experimental RFC
>>> 
>>> b) Remove it from the working group and ask an AD to shepherd it
>>> 
>>> c) Remove it from the working group and let the authors publish it via the 
>>> independent submission track.
>>> 
>>> In any case it would be nice to let folks play around with it and then, 
>>> after some time, come back to determine whether there is enough interest to 
>>> produce a standard.
>>> 
>>> Please let us know what you think!
>>> 
>>> Ciao
>>> Hannes & Derek
>>> 
>>> 
>>> 
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Phil Hunt

Interesting. The definitions in that don't correspond with what ADs and other 
groups are doing. 

I heard httpbis using experimental as a placeholder for a draft that didn't 
have full consensus to bring back later. 

That was the feel I had in Toronto-that we weren't done but it was time to 
publish something. 

Reading the actual definition i would say neither fits. Ugh. 

Phil

> On Sep 11, 2014, at 8:01, "Richer, Justin P."  wrote:
> 
> According to the guidelines here:
> 
> https://www.ietf.org/iesg/informational-vs-experimental.html
> 
> And the discussion in Toronto, it's clearly experimental.
> 
> -- Justin
> 
>> On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  wrote:
>> 
>> Is "experimental" the correct classification? Maybe "informational" is more 
>> appropriate as both of these were discussed. 
>> 
>> -Original Message-
>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
>> Sent: Wednesday, September 10, 2014 4:50 PM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
>> Steps?
>> 
>> Hi all,
>> 
>> in response to the discussions at the last IETF meeting the authors of the 
>> "Dynamic Client Registration Management Protocol"
>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
>> changed the document type to "Experimental".
>> 
>> We need to make a decision about the next steps for the document and we see 
>> the following options:
>> 
>> a) Publish it as an experimental RFC
>> 
>> b) Remove it from the working group and ask an AD to shepherd it
>> 
>> c) Remove it from the working group and let the authors publish it via the 
>> independent submission track.
>> 
>> In any case it would be nice to let folks play around with it and then, 
>> after some time, come back to determine whether there is enough interest to 
>> produce a standard.
>> 
>> Please let us know what you think!
>> 
>> Ciao
>> Hannes & Derek
>> 
>> 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Anthony Nadalin

I don't see it that way as the guidelines not clear and we should revisit this 
since there was no conclusion in Toronto. 

-Original Message-
From: Richer, Justin P. [mailto:jric...@mitre.org] 
Sent: Thursday, September 11, 2014 8:01 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
Steps?

According to the guidelines here:

https://www.ietf.org/iesg/informational-vs-experimental.html

And the discussion in Toronto, it's clearly experimental.

 -- Justin

On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  wrote:

> Is "experimental" the correct classification? Maybe "informational" is more 
> appropriate as both of these were discussed. 
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, September 10, 2014 4:50 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
> Steps?
> 
> Hi all,
> 
> in response to the discussions at the last IETF meeting the authors of the 
> "Dynamic Client Registration Management Protocol"
> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
> changed the document type to "Experimental".
> 
> We need to make a decision about the next steps for the document and we see 
> the following options:
> 
> a) Publish it as an experimental RFC
> 
> b) Remove it from the working group and ask an AD to shepherd it
> 
> c) Remove it from the working group and let the authors publish it via the 
> independent submission track.
> 
> In any case it would be nice to let folks play around with it and then, after 
> some time, come back to determine whether there is enough interest to produce 
> a standard.
> 
> Please let us know what you think!
> 
> Ciao
> Hannes & Derek
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Richer, Justin P.

According to the guidelines here:

https://www.ietf.org/iesg/informational-vs-experimental.html

And the discussion in Toronto, it's clearly experimental.

 -- Justin

On Sep 11, 2014, at 10:36 AM, Anthony Nadalin  wrote:

> Is "experimental" the correct classification? Maybe "informational" is more 
> appropriate as both of these were discussed. 
> 
> -Original Message-
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, September 10, 2014 4:50 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
> Steps?
> 
> Hi all,
> 
> in response to the discussions at the last IETF meeting the authors of the 
> "Dynamic Client Registration Management Protocol"
> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have 
> changed the document type to "Experimental".
> 
> We need to make a decision about the next steps for the document and we see 
> the following options:
> 
> a) Publish it as an experimental RFC
> 
> b) Remove it from the working group and ask an AD to shepherd it
> 
> c) Remove it from the working group and let the authors publish it via the 
> independent submission track.
> 
> In any case it would be nice to let folks play around with it and then, after 
> some time, come back to determine whether there is enough interest to produce 
> a standard.
> 
> Please let us know what you think!
> 
> Ciao
> Hannes & Derek
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Anthony Nadalin

Is "experimental" the correct classification? Maybe "informational" is more 
appropriate as both of these were discussed. 

-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, September 10, 2014 4:50 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Hi all,

in response to the discussions at the last IETF meeting the authors of the 
"Dynamic Client Registration Management Protocol"
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 have changed 
the document type to "Experimental".

We need to make a decision about the next steps for the document and we see the 
following options:

a) Publish it as an experimental RFC

b) Remove it from the working group and ask an AD to shepherd it

c) Remove it from the working group and let the authors publish it via the 
independent submission track.

In any case it would be nice to let folks play around with it and then, after 
some time, come back to determine whether there is enough interest to produce a 
standard.

Please let us know what you think!

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

2014-09-11 Thread Thomas Hardjono

+1


/thomas/
___

On Sep 11, 2014, at 1:10, "Torsten Lodderstedt" 
mailto:tors...@lodderstedt.net>> wrote:

+1

 Ursprüngliche Nachricht 
Von: John Bradley
Datum:11.09.2014 02:22 (GMT+01:00)
An: Mike Jones
Cc: oauth@ietf.org
Betreff: Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
Steps?

+1

Sent from my iPhone

On Sep 10, 2014, at 9:07 PM, Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:

+1

This gets it off the working group’s plate and lets us gather data about 
whether this useful or not and whether it’s right or whether changes are 
needed, based on actual usage experience.

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer
Sent: Wednesday, September 10, 2014 5:05 PM
To: Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next 
Steps?

a) Publish it as experimental. There was reasonable support for this in both 
Toronto and London.

 -- Justin

On 9/10/2014 7:50 PM, Hannes Tschofenig wrote:

Hi all,



in response to the discussions at the last IETF meeting the authors of

the "Dynamic Client Registration Management 
Protocol"

http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-05 
have

changed the document type to 
"Experimental".



We need to make a decision about the next steps for the document and we

see the following options:



a) Publish it as an experimental RFC



b) Remove it from the working group and ask an AD to shepherd it



c) Remove it from the working group and let the authors publish it via

the independent submission track.



In any case it would be nice to let folks play around with it and then,

after some time, come back to determine whether there is enough interest

to produce a standard.



Please let us know what you think!



Ciao

Hannes & Derek










___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

2014-09-11 Thread Rex Albert

Hi Hannes,
thank you very much for the response and it is very useful to have such
detailed information. thank you again for that.
I am now reading about PoP and it is very interesting and also seeing HTTP
signature as well.
Our requirement in short - to achieve seamless authentication and
authorization among HTTP - REST based web services within a protected
network with a secure channel for communication, without human intervention
and without compromise on the time taken to process each request.
Kindly let me know if you need further details .
thanks again
-rex

On Wed, Sep 10, 2014 at 9:26 PM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Hi Rex,
>
> the document  has been superseded by
> the PoP work (which was subsequently split into various other documents).
>
> That, however, does not mean that the content is dead. The mechanism for
> the authorization server to convey the symmetric key to the client is
> now documented in . The high
> level description / overview is now documented in
> . The actual mechanism for the client
> to apply the key to the request to the resource server is now documented
> in .
>
> While < draft-ietf-oauth-signed-http-request> today is different to the
> mechanism described in  it also has to
> be said that it is the weakest document in the entire document set at
> the moment.
>
> So, there is still a chance to incorporate your design requirements into
> the appropriate parts of the work since the work is still in progress.
>
> It would be good to know what your requirements/interests are.
>
> Ciao
> Hannes
>
>
> On 09/10/2014 11:49 AM, Sergey Beryozkin wrote:
> > Hi
> > On 10/09/14 09:57, Rex Albert wrote:
> >>
> >>
> >> Hi,
> >> We are looking at implementing OAUTHV2-HTTP-MAC whose draft is in an
> >> expired
> >> state.(http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05)  Is
> >> it dead or is it going to be a standard anytime? or are we going to
> >> implement at our own risk? or is there a better standard/draft ( alive )
> >> which might supersede this draft ?
> >
> > It's not going to be revived. Does not mean though one can not use the
> > idea for implementing custom OAuth2 token schemes, IMHO it was a very
> > simple and effective 'PoP' approach, and it is easy to document and
> > support. FYI, we support a Hawk scheme (not part of OAuth2 work at all,
> > kind of 'draft-ietf-oauth-v2-http-mac-06') as an access token scheme in
> > our project.
> >
> > As far as I understand new proof-of-possession documents the group is
> > working upon will offer the alternative standard solutions.
> >
> > Cheers, Sergey
> >
> >>
> >> thank you for your time.
> >> I am a newbie to the IETF draft process and kindly excuse my naivety.
> >> -rex
> >>
> >>
> >>
> >> ___
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Re: [OAUTH-WG] OAuth & Authentication: What can go wrong?

[OAUTH-WG] OAuth & Authentication: What can go wrong?

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

Re: [OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

[OAUTH-WG] Fwd: IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749

[OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

26 matches

Site Navigation

Mail list logo

Footer information