On Wed, Feb 22, 2012 at 11:36 AM, Barry Leiba <barryleiba@computer.org> wrote: >> browser id, openid, and oauth are all authentication frameworks built >> on top of HTTP > > > OAuth is an authorization framework, not an authentication one. Please be > careful to make the distinction. I call rubbish: http://tools.ietf.org/html/rfc5849#section-1.1 And I quote: " client An HTTP client (per [RFC2616]) capable of making OAuth- authenticated requests (Section 3). server An HTTP server (per [RFC2616]) capable of accepting OAuth- authenticated requests (Section 3)." OAuth certainly *thinks* it provides *both* Authentication *and* Authorization, and it uses the same header that Basic and Digest do - Authorization. > What we're looking at here is the need for an HTTP authentication system > that (for example) doesn't send reusable credentials, is less susceptible to > spoofing attacks, and so on. Those are good things too, though orthogonal to my point, which is that some of the most widely deployed authentication - yes, authentication - systems used by web sites are not part of the HTTP protocol spec. OpenID and cookie based systems in general. (Though OAuth is a pleasing exception in that it can and does preferentially use the Authorization header). -RobReceived on Tuesday, 21 February 2012 22:53:55 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT