I agree we have no plans to implement MAC if we wanted that we would have been
happy with OAUTH 1.0a but that was not deployable
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike
Jones
Sent: Saturday, December 03, 2011 6:26 PM
To: Barry Lei
Commercial OAuth authorization servers are neither 'toolkits' nor
'purpose built code' - not used to build OAuth clients/servers but yet
required to support more variety in deployments than a single purpose
built server.
But, that variety is driven by customer demand, and none of ours (yet?)
FWIW, if Barry's suggested text was amended to say "MUST do bearer,
MAY do mac" I'd still be ok with that.
Much as I'd like if the mac scheme were more popular, my comment
on -22 was interop and not really security related.
S
On 12/04/2011 01:15 PM, Paul Madsen wrote:
Commercial OAuth authori
The core spec should be completely silent on MAC, as it is not ready for prime
time.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Stephen Farrell
Sent: Sunday, December 04, 2011 6:20 AM
To: Paul Madsen
Cc: oauth@ietf.org
Subject: Re: [OAUTH
Whatever. If the entire WG want to get excited by the difference between
MAY do mac and not mentioning it then fine.
Personally, I'd be more interested in getting done rather than nailing
that final nail into any coffin;-)
S
On 12/04/2011 02:21 PM, Mike Jones wrote:
The core spec should be co
Bearer tokens are practically identical to OAuth 1.0 PLAINTEXT. Get your facts
right.
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Anthony Nadalin
> Sent: Sunday, December 04, 2011 1:37 AM
> To: Mike Jones; Barry Leiba; Stephen Farrell
This has been going on for far too long.
There is a well-established gap between the two tokens and those who support
them and we are NEVER going to reach consensus. Instead we have a war of
attrition were each side is just keeping at it hoping the other side will give
up. The only compromise w
On 4 December 2011 02:26, Mike Jones wrote:
> I strongly object to a mandatory-to-implement clause for the MAC scheme.
> They are unnecessary and market forces have shown that implementers do not
> want or need this kind of an authentication scheme.
I'd say that Twitter, Flickr, Dropbox and do
Hiya,
On 12/04/2011 06:51 PM, Eran Hammer-Lahav wrote:
This has been going on for far too long.
There is a well-established gap between the two tokens and those who support
them and we are NEVER going to reach consensus. Instead we have a war of
attrition were each side is just keeping at it
