I have not been involved in the OAuth design processes, but for the last few months, I’ve been a heavy user of production OAuth2 software. Which I felt gave me a platform to comment on the issue: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead -Tim On Sun, Jul 29, 2012 at 2:57 PM, Hannes Tschofenig <hannes.tschofenig@xxxxxxx> wrote: > It sounds indeed great to involve those communities that use the technology. However, I don't see an easy way to accomplish that when we talk about a really large community. > > For example, many people use TLS and they are not all in the TLS WG working group. I am not even talking about providing useful input to the work (since you would have to be a security expert and some people just want to get their application development done as quickly as possible). They just use the library. > > OAuth is a bit similar in that direction. Ideally, we want Web application developers to just use a library and then add their application specific technology on top of it rather than having to read the IETF specification and to write the OAuth code themselves. > > On Jul 29, 2012, at 2:13 PM, Worley, Dale R (Dale) wrote: > >>> From: Hannes Tschofenig [hannes.tschofenig@xxxxxxx] >>> >>> Eran claims that enterprise identity management equipment manufacturer dominate the discussion. >> >> There's a common problem in the IETF that the development of a standard is dominated by companies that incorporate the standard into their products, whereas the people who "really should" be involved in the development are those who will *use* the standard in operation. >> >> Dale >