- From: David Morris <dwm@xpasc.com>
- Date: Wed, 22 Feb 2012 07:25:16 -0800 (PST)
- To: "'HTTP Working Group'" <ietf-http-wg@w3.org>
- cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "iesg@ietf.org" <iesg@ietf.org>, IETF-Discussion <ietf@ietf.org>
On Wed, 22 Feb 2012, Julian Reschke wrote: > On 2012-02-22 08:04, David Morris wrote: > > > > > > On Tue, 21 Feb 2012, Michael Richardson wrote: > > > > > > > > > > > > > "Barry" == Barry Leiba<barryleiba@computer.org> writes: > > > Barry> OAuth is an authorization framework, not an authentication > > > Barry> one. Please be careful to make the distinction. > > > > > > Barry> What we're looking at here is the need for an HTTP > > > Barry> authentication system that (for example) doesn't send > > > Barry> reusable credentials, is less susceptible to spoofing > > > Barry> attacks, and so on. > > > > > > and is implemented in HTTP, not in terms of HTML forms, yet has all the > > > flexibility of the HTML form method? > > > > And includes the ability for the user to logoff / the server reset the > > login? > > Is that a protocol problem or a user agent problem? > > -- > <http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html> I consider it a protocol issue in the same way that authentication is a protocol issue. The question I was responding to was one of adoption by application developers and is in addition to the lack of application control over the current authenticate dialog. A "use case" if you will. The JS approach isn't really adequate because not all user agents execute the payload. Second 1/2 of the "use case." I'm not advocating that this be solved as part of the Recharter/2.0 activity, I'm neutral on the where question.
Received on Wednesday, 22 February 2012 15:25:51 UTC