On Wed, 22 Feb 2012, Julian Reschke wrote:
On 2012-02-22 08:04, David Morris wrote:
On Tue, 21 Feb 2012, Michael Richardson wrote:
"Barry" == Barry Leiba<barryleiba(_at_)computer(_dot_)org>
writes:
Barry> OAuth is an authorization framework, not an authentication
Barry> one. Please be careful to make the distinction.
Barry> What we're looking at here is the need for an HTTP
Barry> authentication system that (for example) doesn't send
Barry> reusable credentials, is less susceptible to spoofing
Barry> attacks, and so on.
and is implemented in HTTP, not in terms of HTML forms, yet has all the
flexibility of the HTML form method?
And includes the ability for the user to logoff / the server reset the
login?
Is that a protocol problem or a user agent problem?
-- > <http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html>
I consider it a protocol issue in the same way that authentication is a
protocol issue.
The question I was responding to was one of adoption by application
developers and is in addition to the lack of application control over
the current authenticate dialog. A "use case" if you will.
The JS approach isn't really adequate because not all user agents
execute the payload. Second 1/2 of the "use case."
I'm not advocating that this be solved as part of the Recharter/2.0
activity, I'm neutral on the where question.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf