IETF Logo Mail Archive

Re: [OAUTH-WG] Separate names for authentication and authorization

"Paul C. Bryan" <email@pbryan.net> Tue, 24 November 2009 14:55 UTC

Return-Path: <email@pbryan.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47D6F3A682E for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 06:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAv7Wv2HnFZL for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 06:55:33 -0800 (PST)
Received: from maple.anode.ca (maple.anode.ca [72.14.183.184]) by core3.amsl.com (Postfix) with ESMTP id 8D2313A67F4 for <oauth@ietf.org>; Tue, 24 Nov 2009 06:55:33 -0800 (PST)
Received: from [192.168.0.4] (S010600095baae0ff.vf.shawcable.net [174.1.50.199]) by maple.anode.ca (Postfix) with ESMTPSA id DD0E66154; Tue, 24 Nov 2009 14:55:28 +0000 (UTC)
From: "Paul C. Bryan" <email@pbryan.net>
To: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <8A1C3A73-FE3C-4DFB-9F6B-3D3761B9B824@bbn.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343785182F4F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <8A1C3A73-FE3C-4DFB-9F6B-3D3761B9B824@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 24 Nov 2009 06:55:17 -0800
Message-ID: <1259074517.12400.16.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1
Content-Transfer-Encoding: 7bit
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Separate names for authentication and authorization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 14:55:34 -0000

People generally refer to RFC 2617 as (HTTP) "Basic" and "Digest"
authentication methods. Since OAuth is going toward "Token" as the
method type in the Authorization header, it seems to be consistent to
refer to it in similar fashion.

On Tue, 2009-11-24 at 08:54 -0500, Richard Barnes wrote:
> The high-level separation makes sense; I'm fine with reserving OAuth  
> for the delegation flow and calling the authentication method  
> something else.  (Digression: Could this be helpful in allowing other  
> authentication mechanisms into OAuth?)
> 
> That said, I'm not sure "Token Auth" is quite accurate (you could just  
> as well pass a token over Basic).  The important thing about the  
> authentication scheme that OAuth defines is that it provides some of  
> the benefit of Digest (e.g., it doesn't reveal secrets) but without  
> requiring two RTTs.  Maybe something like "Direct Auth" ("One-Shot"?  
> "Simple-Digest"?).
> 
> On the other hand, it is just a name.  That which we call OAuth, by  
> any other name..
> 
> --Richard
> 
> 
> 
> On Nov 24, 2009, at 12:45 AM, Eran Hammer-Lahav wrote:
> 
> > How do people feel about using OAuth as the name for the different  
> > flows to obtain a token, including the new flows defined in WRAP,  
> > and calling the authentication part simply the Token Authentication  
> > scheme, in line with Basic and Digest?
> >
> > I think this would be much more in-line with people's expectations  
> > of the OAuth "brand".
> >
> > EHL
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email