[WG-UMA] OAuth 2.0 and the Road to Hell

Thomas Hardjono identity at hardjono.net
Tue Jul 31 09:51:05 EDT 2012


Not sure what Eran means by “complex” :-)  UMA is fairly simple. Much
of the security aspects are pushed down to the “OAuth layer” and
below.

I’m never sure if people are kidding when they say they want “simple
security”. Something somewhere has to handle the various
requirements/properties relating to “security”, especially when it
involves multi-party transactions.

PS. If you want to see “complex”, please read RFC4120 and RFC4301.

cheers,

/thomas/

----------------------------


From: wg-uma-bounces at kantarainitiative.org
[mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of Eve Maler
Sent: Tuesday, July 31, 2012 12:59 AM
To: Alam
Cc: UMA WG WG
Subject: Re: [WG-UMA] OAuth 2.0 and the Road to Hell

Hmm, I hope Eran will take a look at the latest version of UMA. Paul
and I sought his feedback a couple of years ago, and his feedback was
that it was too complex. :-) We've not only excised the complexity,
our usage of OAuth is now plain vanilla and requires no extensions.
(The UMA token flow is OAuth-inspired but not really an OAuth
extension...)

	Eve

On 30 Jul 2012, at 5:28 AM, Alam <alamjan at gmail.com> wrote:


His(Eran's) latest comments on UMA ..

"Another community that has been very satisfied with OAuth 2.0 is UMA.
Some of the UMA project leads are people are like and respect, like
Eve Maler. In the past I have invited members of the UMA community to
share their project with the OAuth community on the mailing list, at
IETF meetings, and on this blog. It has been a long time since I read
up on UMA but I was always skeptical about its relevancy to the
consumer web world I care about. UMA is also based on OAuth 2.0 and
relies on many of its extensibility areas to operate. If you want to
get an idea of the complexity (and richness) of this world, this is a
good place to start."

source: http://hueniverse.com/2012/07/on-leaving-oauth/

Regards,
Alam


On Mon, Jul 30, 2012 at 2:20 PM, Salvatore D'Agostino
<sal at idmachines.com> wrote:
Thanks Thomas.

Let's hope we all evolve ;-)

-----Original Message-----
From: Thomas Hardjono [mailto:identity at hardjono.net]
Sent: Sunday, July 29, 2012 8:56 PM
To: 'John Bradley'; 'Salvatore D'Agostino'
Cc: 'UMA WG WG'
Subject: RE: [WG-UMA] OAuth 2.0 and the Road to Hell

+1 agree with John here. Oauth2.0 is here to stay. (It may evolve
further in the future).

cheers,

/thomas/

-----------------------------


From: wg-uma-bounces at kantarainitiative.org
[mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of John
Bradley
Sent: Saturday, July 28, 2012 2:51 PM
To: Salvatore D'Agostino
Cc: 'UMA WG WG'
Subject: Re: [WG-UMA] OAuth 2.0 and the Road to Hell

I put up a blog post this morning.
  http://www.thread-safe.com/2012/07/the-oauth-2-sky-is-not-falling.ht
ml

John B.
On 2012-07-28, at 11:43 AM, Salvatore D'Agostino wrote:


John,
 
Glad to hear the good with the bad.
 
Thanks,
Sal
 
From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Saturday, July 28, 2012 1:00 PM
To: Salvatore D'Agostino
Cc: 'Eve Maler'; 'Alam'; 'UMA WG WG'
Subject: Re: [WG-UMA] OAuth 2.0 and the Road to Hell
 
Get a grip people.  The sky is not falling.   Life is good.
 
The OAuth workgroup has been making excellent progress closing the
open
issues.
 
We are now finishing the instructions for the RFC editor.  The spec
has been
completed in the last several months since the chairs removed the
editor's
ability to block progress.
 
I don't hink it would have been in UMA's interest to support only
confidential clients with only MAC tokens.   It is true that protocols
using
OAuth 2 need to define there security models and profile the spec as
UMA
has.   This is normal,  nothing has changed except that OAuth is
making
progress again.
 
John B.
 
On 2012-07-28, at 9:45 AM, Salvatore D'Agostino wrote:



Hi Eve,
 
Been lurking and seen this all come to pass as well.
 
Assume that the bad part is that Eran is right and that OAuth 2 is
less
likely the building block we looked to build on?
 
Regards,
 
Sal
 
From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-bounces at kant
arainitiative.org] On Behalf Of Eve Maler
Sent: Friday, July 27, 2012 8:26 PM
To: Alam
Cc: UMA WG WG
Subject: Re: [WG-UMA] OAuth 2.0 and the Road to Hell
 
Sigh. This is an extraordinarily unhelpful blog post. Dick Hardt's
comment
late in the thread captures some of the frustration around Eran's
position
and actions...
 
            Eve
 
On 27 Jul 2012, at 8:44 AM, Alam <alamjan at gmail.com> wrote:




Hi All,

"They say the road to hell is paved with good intentions. Well,
that’s OAuth
2.0. "  Eran Hammer for more ...

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Cheers,
Alam
_______________________________________________
WG-UMA mailing list
WG-UMA at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
 

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl




 
_______________________________________________
WG-UMA mailing list
WG-UMA at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________
WG-UMA mailing list
WG-UMA at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________
WG-UMA mailing list
WG-UMA at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl






More information about the WG-UMA mailing list