Re: [OAUTH-WG] Issue 15, new client registration

Skylar Woodward <skylar@kiva.org> Fri, 22 July 2011 21:46 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1129521F858C for <oauth@ietfa.amsl.com>; Fri, 22 Jul 2011 14:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.597
X-Spam-Level:
X-Spam-Status: No, score=-6.597 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLYtfZhdAZJK for <oauth@ietfa.amsl.com>; Fri, 22 Jul 2011 14:46:36 -0700 (PDT)
Received: from na3sys010aog107.obsmtp.com (na3sys010aog107.obsmtp.com [74.125.245.82]) by ietfa.amsl.com (Postfix) with SMTP id 9BBFD21F8545 for <oauth@ietf.org>; Fri, 22 Jul 2011 14:46:34 -0700 (PDT)
Received: from mail-ww0-f52.google.com ([74.125.82.52]) (using TLSv1) by na3sys010aob107.postini.com ([74.125.244.12]) with SMTP ID DSNKTinvuQhlF5hWpldEsmWV88OzLIWHGjdz@postini.com; Fri, 22 Jul 2011 14:46:34 PDT
Received: by wwf10 with SMTP id 10so2224748wwf.33 for <oauth@ietf.org>; Fri, 22 Jul 2011 14:46:32 -0700 (PDT)
Received: by 10.227.172.206 with SMTP id m14mr1787291wbz.29.1311371192066; Fri, 22 Jul 2011 14:46:32 -0700 (PDT)
Received: from [192.168.1.102] (89-159-227-201.rev.numericable.fr [89.159.227.201]) by mx.google.com with ESMTPS id em16sm2227174wbb.33.2011.07.22.14.46.30 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 22 Jul 2011 14:46:30 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/alternative; boundary="Apple-Mail=_A54263D2-03C3-4A09-8FD3-FB7AFD666717"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345021F377AA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 22 Jul 2011 23:46:29 +0200
Message-Id: <64930E85-923B-4811-8A6B-6A677B95F904@kiva.org>
References: <4E2740E9.5000209@lodderstedt.net> <4E274191.6020207@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72345021F377AA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue 15, new client registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2011 21:46:37 -0000

Looks like Torsten already has capture my suggestion which is also what the Kiva documentation uses… Verifiable/Forgeable identity.  It's precise and avoids making a statement about trust, etc.

But only developers need such simple one-word classifications.  For end users (e.g., people w/ accounts who approve access for an app) we're be providing much more verbose explanations. For example. "This application's identity has ben verified… still (caution, caution, caution)"  or  "This application's identity cannot be verified. Only approve this application if you absolutely trust the application or link that sent you this page…"

App users can't discern the significance of public vs. private credentials.

To me, public credentials are not credentials at all. Yet another term to define. Better to be precise.

Another option (and terminology we use to help developers) Can Keep Secrets / Can't Keep Secrets.

Attached screenshots in case anyone is interested in how this plays out in real-world UI (vs. specs).





On Jul 22, 2011, at 11:12 PM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Torsten Lodderstedt
>> Sent: Wednesday, July 20, 2011 1:59 PM
>> To: OAuth WG
>> Subject: Re: [OAUTH-WG] Issue 15, new client registration
>> 
>> 2.1 Client types
>> 
>> I'm struggeling with the new terminology of "private" and "public"
>> clients. In my perception, the text just distinguishes clients which can be
>> authenticated and such which cannot. This is fine but I consider the wording
>> misleading. I would suggest to change it to something like trusted/untrusted
>> or authenticated/unauthenticated or Verifiable/Forgeable.
> 
> I'm open to changing the names.
> 
> I don't like trusted/untrusted because OAuth does not define trust. The authenticated/unauthenticated pair is also not ideal because the terms describe the outcome, not the nature of the client. As for verifiable/forgeable, I think these terms are too complicated for a casual reader.
> 
> My intention with public/private is to identify the nature of the client credentials. So a more verbose version would be 'public credentials/private credentials'. This also works with 'code' instead of 'credentials'.
> 
> It's clear from the past year of discussions that we need terminology to describe these two types.
> 
> Any other suggestions?
> 
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth