Re: [OAUTH-WG] [apps-discuss] Web Finger vs. Simple Web Discovery (SWD)

[Derek Atkins <derek@ihtfp.com>]

"Murray S. Kucherawy" <msk@cloudmark.com> writes:

> Thank you Stephen, I think.  :-)
>
> So the discussion on apps-discuss now should be focused on which of the two should be the basis for forward progress.  I've placed both documents in "Call for Adoption" state in the datatracker for appsawg.

>From an OAUTH perspective I believe that we should help define the
requirements of what this protocol needs to provide (be it webfinger,
swd, or yadp (Yet Another Discovery Protocol) -- whatever it's named!)

I think there are two main differerences between webfinger and swd:

a) whole-document vs. individual attributes
b) a perceived authorization model to control access to said attributes

In particular I feel there are some specific security requirements that
must be bet by the protocol, but I think it's easily accomplished by
a small amount of text that effectively says:

1) requestors of the service should authenticate (or be treated as an
   anonymous user)
2) content returned must be dynamic and dependent on the authorization
   of the authenticated user.

This leaves only the perceived issue of "whole document" vs "individual
attribute".  If a client ever wants more than one attribute then a whole
document approach reduces the number of round trips.  However if
documents get large that could also affect performance.  We might, then,
need a way to specify which attributes are requested, but allow for a
wildcard to return "everything I am authorized to see".

> Let the games begin.

Heh.  Play ball!

> -MSK
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant