W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Robert Collins <robertc@squid-cache.org>
Date: Wed, 22 Feb 2012 11:53:27 +1300
Message-ID: <CAJ3HoZ0wtOrNg+0CCueeq1hfj31EJViw1GaM6cV8GwqjtWcPsA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Feb 22, 2012 at 11:36 AM, Barry Leiba <barryleiba@computer.org> wrote:
>> browser id, openid, and oauth are all authentication frameworks built
>> on top of HTTP
>
>
> OAuth is an authorization framework, not an authentication one.  Please be
> careful to make the distinction.

I call rubbish:

http://tools.ietf.org/html/rfc5849#section-1.1

And I quote: "   client
         An HTTP client (per [RFC2616]) capable of making OAuth-
         authenticated requests (Section 3).

   server
         An HTTP server (per [RFC2616]) capable of accepting OAuth-
         authenticated requests (Section 3)."

OAuth certainly *thinks* it provides *both* Authentication *and*
Authorization, and it uses the same header that Basic and Digest do -
Authorization.

> What we're looking at here is the need for an HTTP authentication system
> that (for example) doesn't send reusable credentials, is less susceptible to
> spoofing attacks, and so on.

Those are good things too, though orthogonal to my point, which is
that some of the most widely deployed authentication - yes,
authentication - systems used by web sites are not part of the HTTP
protocol spec. OpenID  and cookie based systems in general.

(Though OAuth is a pleasing exception in that it can and does
preferentially use the Authorization header).

-Rob
Received on Tuesday, 21 February 2012 22:53:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT