Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

I have not seen any detailed agenda for IETF 80. If there will be votes that override email votes all participant should so be informed. Phil Sent from my phone. On 2011-03-11, at 17:46, Anthony Nadalin wrote: >> Why the early cut-off date? As this is in advance of IETF 80, changes will >>

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

I vote (A) because 1) I strongly believe in modularity and 2) I disagree with D. Hence what applies to all specifications must be defined at the highest level, rather than in a self-contained specification. So, this looked like a simple matter to me. Having said that, I note that Lucy has a d

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

On Sat, 12 Mar 2011, Anthony Nadalin wrote: Why the early cut-off date? As this is in advance of IETF 80, changes will wait until after Prague in any case. To inform the discussions @ IETF 80 to determine what else might be needed, which goes to your second comment ack - thanks! -Ori

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

> Why the early cut-off date? As this is in advance of IETF 80, changes will > wait until after Prague in any case. To inform the discussions @ IETF 80 to determine what else might be needed, which goes to your second comment -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

On Fri, 11 Mar 2011, Mike Jones wrote: As you know, the OAuth 2.0 Bearer Token draft -03 established the OAuth Errors Registry to increase interoperability among implementations using the related OAuth specificat

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

D (not objection to C). So far, not a single use case or technical rational has been presented to justify option A. Option B is not a valid option per IETF process (for option B to be valid, the protocol spec must first be published as an RFC, and they the bearer token spec updates it). This

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

The value of having a common OAuth Errors Registry, as provided by both (A) and (B), is that when “one is defining a non-bearer spec”, the errors will be consistent with those used in the bearer spec (and other OAuth specs), which can only help interoperability. Your statement “It doesn't seem

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

Extensibility for the new option would be defined within each spec. It doesn't seem right to put registry in bearer spec. What if one is defining a non-bearer spec? Phil Sent from my phone. On 2011-03-11, at 15:41, Mike Jones wrote: > That would be yet a different option. With (C), the ini

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

That would be yet a different option. With (C), the initial set of errors registered by the bearer token spec {invalid_request, invalid_token, insufficient_scope} could be extended by registering new errors. With your alternative wording, this set would not be extensible.

Re: [OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

Should option C read: No OAuth Errors Registry, but each specification may specify its own set of errors. Or is this another option and C is different? Phil phil.h...@oracle.com On 2011-03-11, at 3:04 PM, Mike Jones wrote: > As you know, the OAuth 2.0 Bearer Token draft -03 established the O

[OAUTH-WG] Vote: Location of OAuth Errors Registry, deadline Friday, March 18

As you know, the OAuth 2.0 Bearer Token draft -03 established the OAuth Errors Registry to increase interoperability among implementations using the related OAuth specifications. As you also know, there has been so

Re: [OAUTH-WG] IETF-80

On 3/11/11 3:22 PM, Igor Faynberg wrote: > Peter, > > First, thank you very much for being so responsive! I'm not always so responsive. You got lucky. :) > My hope was that we could start much earlier than on Thursday, and I've > been trying to coax Torsten to arrive no later than Monday. He sho

Re: [OAUTH-WG] IETF-80

Peter, First, thank you very much for being so responsive! My hope was that we could start much earlier than on Thursday, and I've been trying to coax Torsten to arrive no later than Monday. He should lead the security discussion, and the earlier that starts -- the better... (And there are

Re: [OAUTH-WG] IETF-80

Torsten, I will attend the IETF 80 starting on Monday. Zachary -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Friday, March 11, 2011 4:15 AM To: OAuth WG Subject: [OAUTH-WG] IETF-80 Hi all, who of the WG will att

Re: [OAUTH-WG] IETF-80

On 3/11/11 12:10 PM, Peter Saint-Andre wrote: > On 3/11/11 11:44 AM, Igor Faynberg wrote: >> Peter, >> >> Could you please advertise the room when it is reserved? > > Certainly. > > I'd appreciate it if those who want to join this working session could > speak up on the list so that I can assign

Re: [OAUTH-WG] IETF-80

+1 Best regards, Huilan LU > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] > On Behalf Of Peter Saint-Andre > Sent: Friday, March 11, 2011 2:11 PM > To: Faynberg, Igor (Igor) > Cc: OAuth WG > Subject: Re: [OAUTH-WG] IETF-80 > > On 3/11/11 11:44 AM, I

Re: [OAUTH-WG] IETF-80

On 3/11/11 11:44 AM, Igor Faynberg wrote: > Peter, > > Could you please advertise the room when it is reserved? Certainly. I'd appreciate it if those who want to join this working session could speak up on the list so that I can assign a "point person" and so that we can figure out how big a roo

Re: [OAUTH-WG] IETF-80

Peter, Could you please advertise the room when it is reserved? With thanks, Igor Peter Saint-Andre wrote: On 3/11/11 9:10 AM, Anthony Nadalin wrote: Torsten, Mike Jones and I will be there all week, it might be good to setup some time to go through the Security Considerations draft

Re: [OAUTH-WG] IETF-80

On 3/11/11 9:10 AM, Anthony Nadalin wrote: > Torsten, Mike Jones and I will be there all week, it might be good to > setup some time to go through the Security Considerations draft Yes, we can reserve a room for document editors (etc.) to complete some focused work on the specs. Peter -- Peter S

Re: [OAUTH-WG] IETF-80

Torsten, Mike Jones and I will be there all week, it might be good to setup some time to go through the Security Considerations draft -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Friday, March 11, 2011 1:15 AM To:

[OAUTH-WG] editorial comment on section 2 of bearer token draft

http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-03 the doc's stated purpose is to describe "how to use bearer tokens when accessing OAuth 2.0 protected resources". but then in section 2 and 2.1, it describes how clients make "authenticated token requests"; which can be read as an authen

Re: [OAUTH-WG] OAuth Bearer Token draft

It's not just scoped in the oauth-sense, it's also scoped to the issuing site and can't be replayed against other AS/PR domains in the way that a username/password pair can. -- Justin From: tors...@lodderstedt.net [tors...@lodderstedt.net] Sent: Friday,

Re: [OAUTH-WG] OAuth Bearer Token draft

Allow me to rephrase more precisely: "All formats that people are complaining about are optional". -- Justin From: Manger, James H [james.h.man...@team.telstra.com] Sent: Friday, March 11, 2011 1:05 AM To: Richer, Justin P.; OAuth WG Subject: RE: [OAUTH-

Re: [OAUTH-WG] Implicit Grant Client Authentication

Hi Craig, I've been puzzling over this text in 4.2: "... the authentication of the client is based on the user-agent's same-origin policy." I consider this a a relict from the original User-Agent Flow description. This flow was dedicated to JavaScript apps running embedded in a webpage.

[OAUTH-WG] IETF-80

Hi all, who of the WG will attend IETF-80 and during which days? I'm uncertain yet whether it makes sense to arrive before Friday as there is only a single OAuth session on this day. If others will be available earlier we could probably setup some discussion of topics of common interest,

Re: [OAUTH-WG] OAuth Bearer Token draft

To scope a refresh token is good practice (IMHO). I agree with wrt URI query parameters. This should be used carefully and only if no other option exists. Regards, Torsten. --Originalnachricht-- Von: Phil Hunt An:Lodderstedt, Torsten Cc:Richer, Justin P. Cc:OAuth WG Betreff: Re: [OAUTH-W

Re: [OAUTH-WG] OAuth Bearer Token draft

Why not "bearer_token"? This would be in line with the Authorization scheme name. regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message- From: Mike Jones Sender: oauth-boun...@ietf.org Date: Fri, 11 Mar 2011 01:54:00 To: OAuth WG Subject: Re: [O