: Justin Richer [mailto:jric...@mitre.org]
Sent: Monday, September 27, 2010 12:04 PM
To: Eran Hammer-Lahav
Cc: Dick Hardt; OAuth WG
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
Arguments like this are why I have been advocating for separating
[mailto:oauth-boun...@ietf.org] On Behalf
Of Manger, James H
Sent: Sunday, September 26, 2010 6:13 PM
To: OAuth WG
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
-1 to including a signature mechanism in OAuth2 core
+1 to OAuth2 being clear about how it can deliver
On 2010-09-26, at 11:02 PM, Eran Hammer-Lahav wrote:
Clearly, this group is making choices based on the kind of applications using
OAuth 1.0 today. The decision to focus on bearer tokens came from specific
experiences and types of consumer web services.
Any other applications are
I'll echo John's comments and remind you that Micrsoft, Yahoo! and Google
security experts with plenty of real world experience worked on WRAP which is
OAuth bearer tokens.
Microsoft, Google, Salesforce, Facebook and others have deployed bearer token
OAuth in production after internal security
I have gone through Brian's wrap security considerations and will
incorporate them into the security considerations for OAuth 2 that Torsten
and I will compile. We can run it past Brian too
-Lahav
Cc: OAuth WG; Ben Laurie
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
I'll echo John's comments and remind you that Micrsoft, Yahoo! and Google
security experts with plenty of real world experience worked on WRAP which is
OAuth bearer tokens.
Microsoft, Google
I think Torsten's previous comment explains it well: We cannot expect
approval of the core, if security is not sufficiently addressed. I also
agree that it cannot be addressed without the signature mechanism
clearly specified. Therefore, if anything is going to delay the core, it
is the
Well said.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Igor Faynberg
Sent: Monday, September 27, 2010 9:42 AM
To: Eve Maler
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
I think Torsten's
.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Igor
Faynberg
Sent: Monday, September 27, 2010 9:42 AM
To: Eve Maler
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
I think Torsten's previous comment explains
and if signatures are needed or just
SSL.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Igor
Faynberg
Sent: Monday, September 27, 2010 9:42 AM
To: Eve Maler
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
I
to give each side something to live with.
EHL
From: Dick Hardt [mailto:dick.ha...@gmail.com]
Sent: Monday, September 27, 2010 6:31 AM
To: John Panzer; Eran Hammer-Lahav
Cc: OAuth WG; Ben Laurie
Subject: Re: [OAUTH-WG] Basic signature support in the core
specification
On 2010-09-27, at 11:25 AM, Torsten Lodderstedt wrote:
Am 27.09.2010 19:11, schrieb Anthony Nadalin:
What is needed is needed is the security considerations section complete, I
don't think that the signature specification has to be in the core to be
complete, there are previsions to use
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
Arguments like this are why I have been advocating for separating the
developers guide from the protocol spec for a while now. I believe that
they support two different audiences.
A developers' guide then has the option
Am 27.09.2010 22:53, schrieb Dick Hardt:
On 2010-09-27, at 11:25 AM, Torsten Lodderstedt wrote:
Am 27.09.2010 19:11, schrieb Anthony Nadalin:
What is needed is needed is the security considerations section complete, I
don't think that the signature specification has to be in the core to be
On 2010-09-25, at 7:52 PM, Eve Maler wrote:
It seems like you figured it out pretty quickly, given the message you sent
immediately after. :-)
Referencing another spec from the core spec using normative text is
effectively including it by reference. I meant that I'm sympathetic (+1) to
-1 to including a signature mechanism in OAuth2 core
+1 to OAuth2 being clear about how it can deliver a secret key (and algorithm
id etc) that can be used by a signature mechanism
Firstly -- a mechanism to sign HTTP requests would be great, but should not be
dependent on methods for users to
+1 to having it in the core spec. I don't see how an optional section in
the spec will cause any confusion
+1 to John's suggestion below of starting with the OAuth 1.0a signature
mechanism. Why not put it in the spec and see what breaks or no longer
holds true
Mark McGloin
John Panzer wrote
Am 25.09.2010 04:22, schrieb Eran Hammer-Lahav:
OAuth 2.0 is far from being published as an RFC. I estimate it is at
least 6 months away from reaching final IESG approval, if not a year.
This is mostly due to a significant effort needed in writing and
reviewing the security considerations
I was talking about AS / PR developers.
EHL
On 9/24/10 10:39 PM, Dick Hardt dick.ha...@gmail.com wrote:
wrt. developers knowing what they need = I think the AS / PR will tell
developers if they need to use signatures, or if they need to use HTTPS, or if
they need to use assertions.
Sorry
My logic is that your suggested organization is based on your personal
preferences and what you consider core. If I applied my personal preference,
half of core would be elsewhere. My point is that deciding signatures is the
part belonging elsewhere is completely subjective to how important one
To be clear, I think signatures are important, and I think that standardizing
them would be really useful. One of the early complaints about OAuth 1.0 was
that the signature mechanism was different than the OpenID mechanism. Having a
standard signature mechanism in this space seems like a good
+1 for basic signature support
there is a need to protect end-users from token abuse by rogue resource
servers (see
http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5, paragraph
3). Signatures based on a token secret is one way to prevent this kind
of attack.
Signature mechanisms
+1
2010/9/24 Eran Hammer-Lahav e...@hueniverse.com:
Since much of this recent debate was done off list, I'd like to ask people
to simply express their support or objection to including a basic signature
feature in the core spec, in line with the 1.0a signature approach.
This is not a vote,
+1
I am agnostic as to whether this means we define the signatures within
the spec or just reference/profile some other work. The fewer number of
signature algorithms we have to implement the better:)
George
On 9/23/10 9:43 PM, Eran Hammer-Lahav wrote:
Since much of this recent debate was
I would like to see the signatures stay in a separate spec, but to be
worked on and released along side of the core spec.
In fact, I think that there's more than one kind of signature that can
be used with the OAuth token mechanisms. At IIW East, we walked through
several use cases that called
I hope I am not causing the temperature of the group to rise dangerously
by voting in support (a.k.a. +1).
Igor
Eran Hammer-Lahav wrote:
Since much of this recent debate was done off list, I'd like to ask people
to simply express their support or objection to including a basic signature
+1 for signature support in the core spec (which may look like normative
pointers out to a separate spec module if it turns out there's wider usage for
that module beyond OAuth).
Eve
On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote:
Since much of this recent debate was done off
Perhaps this is picking nits but I want to clarify my opinion: I'm fine
if the core spec *mentions* signatures, I just don't want it to *define*
them. I'm perfectly happy with a section on if you want to do signing,
here's a way to do signing, but I want that way to be defined and
described
-1 on requiring it to be part of core OAuth2. Reasoning: It won't be a MUST
or even SHOULD requirement for either client or server, so adding it later
does not affect interop. The actual schedule to finalize the signature
mechanism should not be affected either way -- it's fine for a WG to
+1 on core
On Thu, Sep 23, 2010 at 6:43 PM, Eran Hammer-Lahav e...@hueniverse.comwrote:
Since much of this recent debate was done off list, I'd like to ask people
to simply express their support or objection to including a basic signature
feature in the core spec, in line with the 1.0a
-1 in core
+1 to being referenced in core and being a separate document
On 2010-09-23, at 6:43 PM, Eran Hammer-Lahav wrote:
Since much of this recent debate was done off list, I'd like to ask people
to simply express their support or objection to including a basic signature
feature in the
+1 on referencing separate spec from the core.
-1 for actually defining the sig inside the core.
=nat @ Tokyo via iPhone
On 2010/09/24, at 10:43, Eran Hammer-Lahav e...@hueniverse.com wrote:
Since much of this recent debate was done off list, I'd like to ask people
to simply express their
OAuth 2.0 is far from being published as an RFC. I estimate it is at least 6
months away from reaching final IESG approval, if not a year. This is mostly
due to a significant effort needed in writing and reviewing the security
considerations section which so far has received no attention. We
Most developers don't know if they need signatures! By putting them elsewhere
we will be promoting the bearer token approve as the default choice and that's
unacceptable to me. It is promoting a specific security compromise (for
developer ease) that is far from industry consensus.
I can make
I'm happy to do that. But I will be breaking the spec into more than two parts.
Basically, I will be creating a version that does not force anyone to read
anything they might not care about. Clearly, we shouldn't based editorial
decisions on what you want to read :-)
EHL
On 9/24/10 5:21 PM,
I don't follow your logic ... or perhaps I don't see why the spec needs to be
written in more than two parts.
For example, the current spec does not specify the format of the token -- which
keeps it simpler and straight forward. There are separate draft specs for
standardizing the token.
+1
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Eran Hammer-Lahav
Sent: Thursday, September 23, 2010 6:44 PM
To: OAuth WG
Subject: [OAUTH-WG] Basic signature support in the core specification
Since much of this recent debate was done
37 matches
Mail list logo