IETF Logo Mail Archive

Re: [OAUTH-WG] Separate names for authentication and authorization

Richard Barnes <rbarnes@bbn.com> Tue, 24 November 2009 13:55 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C92D3A6A3E for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 05:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwDBXY-h8C0o for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 05:55:06 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 4BB923A6784 for <oauth@ietf.org>; Tue, 24 Nov 2009 05:55:06 -0800 (PST)
Received: from [192.1.255.180] (helo=col-dhcp-192-1-255-180.bbn.com) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.63) (envelope-from <rbarnes@bbn.com>) id 1NCvrA-0005SV-C3; Tue, 24 Nov 2009 08:55:00 -0500
Message-Id: <8A1C3A73-FE3C-4DFB-9F6B-3D3761B9B824@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785182F4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 24 Nov 2009 08:54:58 -0500
References: <90C41DD21FB7C64BB94121FBBC2E72343785182F4F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Mailer: Apple Mail (2.936)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Separate names for authentication and authorization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 13:55:07 -0000

The high-level separation makes sense; I'm fine with reserving OAuth  
for the delegation flow and calling the authentication method  
something else.  (Digression: Could this be helpful in allowing other  
authentication mechanisms into OAuth?)

That said, I'm not sure "Token Auth" is quite accurate (you could just  
as well pass a token over Basic).  The important thing about the  
authentication scheme that OAuth defines is that it provides some of  
the benefit of Digest (e.g., it doesn't reveal secrets) but without  
requiring two RTTs.  Maybe something like "Direct Auth" ("One-Shot"?  
"Simple-Digest"?).

On the other hand, it is just a name.  That which we call OAuth, by  
any other name..

--Richard



On Nov 24, 2009, at 12:45 AM, Eran Hammer-Lahav wrote:

> How do people feel about using OAuth as the name for the different  
> flows to obtain a token, including the new flows defined in WRAP,  
> and calling the authentication part simply the Token Authentication  
> scheme, in line with Basic and Digest?
>
> I think this would be much more in-line with people's expectations  
> of the OAuth "brand".
>
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email