W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Robert Collins <robertc@squid-cache.org>
Date: Wed, 22 Feb 2012 11:53:27 +1300
Message-ID: <CAJ3HoZ0wtOrNg+0CCueeq1hfj31EJViw1GaM6cV8GwqjtWcPsA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Feb 22, 2012 at 11:36 AM, Barry Leiba <barryleiba@computer.org> wrote:
>> browser id, openid, and oauth are all authentication frameworks built
>> on top of HTTP
> OAuth is an authorization framework, not an authentication one.  Please be
> careful to make the distinction.

I call rubbish:


And I quote: "   client
         An HTTP client (per [RFC2616]) capable of making OAuth-
         authenticated requests (Section 3).

         An HTTP server (per [RFC2616]) capable of accepting OAuth-
         authenticated requests (Section 3)."

OAuth certainly *thinks* it provides *both* Authentication *and*
Authorization, and it uses the same header that Basic and Digest do -

> What we're looking at here is the need for an HTTP authentication system
> that (for example) doesn't send reusable credentials, is less susceptible to
> spoofing attacks, and so on.

Those are good things too, though orthogonal to my point, which is
that some of the most widely deployed authentication - yes,
authentication - systems used by web sites are not part of the HTTP
protocol spec. OpenID  and cookie based systems in general.

(Though OAuth is a pleasing exception in that it can and does
preferentially use the Authorization header).

Received on Tuesday, 21 February 2012 22:53:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:00 UTC