Barry Leiba wrote:
browser id, openid, and oauth are all authentication frameworks built
on top of HTTP
OAuth is an authorization framework, not an authentication one. Please be
careful to make the distinction.
What we're looking at here is the need for an HTTP authentication system
that (for example) doesn't send reusable credentials, is less susceptible
to spoofing attacks, and so on.
Hi Barry, maybe I should review the drafts (or not), but if its hasn't
been considered, this sounds like the only way possible is with a
persistent IP connection session management concept.
I can relate it based on our PCI framework for the web server and much
of the modeling was based on our existing non-http multi-device
hosting servers already 100% based on a persistent connection IP or
line, channel. Definitely works in areas where only one browser or
machine is allowed.
I was looking forwarding to further exploring WebSockets to possible
be part of (revitaling) this solution as well, since it work nicely
with the persistent IP concept with the backend.
On a related note, some web sites do this and I first saw it with
facebook where it knows where I am logging in from. In a recent philly
trip, I tried to log on and interestingly got a new login form where
it indicated I was at a different location. I had to verify who I was
again, if I recall via my email/login account at gmail.com.
Ietf mailing list