This wiki is no longer active and is left here for historical purposes. Please visit oauth.net for up-to-date information.
View
 

MeetingNotes20070821

This version was saved 10 years, 4 months ago View current version     Page history
Saved by Chris Messina
on September 22, 2007 at 7:42:50 pm
 

Attendees

 

At Twitter... LeahCulver, BrittSelvitelle, BlaineCook, ChrisMessina, DaveRecordon...

 

  • joining by phone... AndySmith, Eran Hammer-Lahav...

 

  • website
    • faq
    • larry will host it...
    • blaine will setup DNS
  • outstanding questions
  • use the google code repository for code... and force an IPR statement...
  • IPR...
    • ben laurie's contributions...
    • anyone who has contributed should sign the IPR policy
  • aug 31 deadline for spec
  • need to setup test server for compliance; test client...
  • no language token in the spec
    • google wants it... servers and browsers already do this... why not put it in a consistent place?
    • better to put it in conventions document...
    • language as optional parameter; clients can ignore it
  • version parameter?
    • specified on v2 and above; not in the spec...
  • on desktop side -- where we don't have a username/password for a user...
  • for web, avoiding entering username/password in third party service
  • token exchange
    • make use of OpenID library exchange?
      • too complicated?
    • authsub has insecure mode... "we need something easy for developers that doesn't require pre-registration"
    • authsub has secure mode... preregister private key... all pub requests signed with private key...
    • pass token in cleartext but use SSL... w/o SSL use Diffie-Hellman but know that there could be a MINM attack
    • should there be some standard way for sites to do this key value pair signing? per-token seems like a good idea... wesabe... mike megursky... digg doesn't want to have concept of consumer...
  • signing...
    • promote the use of HMAC-SHA1
    • for backwards compatibility use SHA1
    • encode your secrets and parameters the same way...
  • how does this map to all the other protocols/auths? create a comparison chart... how is it different? why?
  • larry and blaine will get client side code...
  • leah is doing python
  • dave will do perl
  • google will do java, HMAC libraries
  • justin miller could do pukka oauth implementation
  • craig hockenberry should write twitterific + magnolia cocoa client libraries

Comments (0)

You don't have permission to comment on this page.