Re: [OAUTH-WG] Separate names for authentication and authorization
Richard Barnes <rbarnes@bbn.com> Tue, 24 November 2009 13:55 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C92D3A6A3E for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 05:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwDBXY-h8C0o for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 05:55:06 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 4BB923A6784 for <oauth@ietf.org>; Tue, 24 Nov 2009 05:55:06 -0800 (PST)
Received: from [192.1.255.180] (helo=col-dhcp-192-1-255-180.bbn.com) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.63) (envelope-from <rbarnes@bbn.com>) id 1NCvrA-0005SV-C3; Tue, 24 Nov 2009 08:55:00 -0500
Message-Id: <8A1C3A73-FE3C-4DFB-9F6B-3D3761B9B824@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785182F4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 24 Nov 2009 08:54:58 -0500
References: <90C41DD21FB7C64BB94121FBBC2E72343785182F4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Mailer: Apple Mail (2.936)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Separate names for authentication and authorization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 13:55:07 -0000
The high-level separation makes sense; I'm fine with reserving OAuth for the delegation flow and calling the authentication method something else. (Digression: Could this be helpful in allowing other authentication mechanisms into OAuth?) That said, I'm not sure "Token Auth" is quite accurate (you could just as well pass a token over Basic). The important thing about the authentication scheme that OAuth defines is that it provides some of the benefit of Digest (e.g., it doesn't reveal secrets) but without requiring two RTTs. Maybe something like "Direct Auth" ("One-Shot"? "Simple-Digest"?). On the other hand, it is just a name. That which we call OAuth, by any other name.. --Richard On Nov 24, 2009, at 12:45 AM, Eran Hammer-Lahav wrote: > How do people feel about using OAuth as the name for the different > flows to obtain a token, including the new flows defined in WRAP, > and calling the authentication part simply the Token Authentication > scheme, in line with Basic and Digest? > > I think this would be much more in-line with people's expectations > of the OAuth "brand". > > EHL > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Separate names for authentication and … Eran Hammer-Lahav
- Re: [OAUTH-WG] Separate names for authentication … Paul C. Bryan
- Re: [OAUTH-WG] Separate names for authentication … John Panzer
- Re: [OAUTH-WG] Separate names for authentication … Richard Barnes
- Re: [OAUTH-WG] Separate names for authentication … Paul C. Bryan
- Re: [OAUTH-WG] Separate names for authentication … Peter Saint-Andre
- Re: [OAUTH-WG] Separate names for authentication … Richard Barnes
- Re: [OAUTH-WG] Separate names for authentication … Eran Hammer-Lahav