I have not been involved in the OAuth design processes, but for the
last few months, I’ve been a heavy user of production OAuth2 software.
Which I felt gave me a platform to comment on the issue:
http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead
-Tim
On Sun, Jul 29, 2012 at 2:57 PM, Hannes Tschofenig
<hannes(_dot_)tschofenig(_at_)gmx(_dot_)net> wrote:
It sounds indeed great to involve those communities that use the technology.
However, I don't see an easy way to accomplish that when we talk about a
really large community.
For example, many people use TLS and they are not all in the TLS WG working
group. I am not even talking about providing useful input to the work (since
you would have to be a security expert and some people just want to get their
application development done as quickly as possible). They just use the
library.
OAuth is a bit similar in that direction. Ideally, we want Web application
developers to just use a library and then add their application specific
technology on top of it rather than having to read the IETF specification and
to write the OAuth code themselves.
On Jul 29, 2012, at 2:13 PM, Worley, Dale R (Dale) wrote:
From: Hannes Tschofenig [hannes(_dot_)tschofenig(_at_)gmx(_dot_)net]
Eran claims that enterprise identity management equipment manufacturer
dominate the discussion.
There's a common problem in the IETF that the development of a standard is
dominated by companies that incorporate the standard into their products,
whereas the people who "really should" be involved in the development are
those who will *use* the standard in operation.
Dale