On Thu, Oct 1, 2009 at 4:12 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote: > The new scheme (I am proposing 'Token' as scheme name but an open for other suggestions) will > replace the 'OAuth' scheme name and will use the following syntax > (please help with an ABNF version please...): Any pressing reason to change from "OAuth" to "Token"? > WWW-Authenticate: Token <sub-scheme> realm="", <sub-scheme-param>, ... Should probably drop "realm" unless we can define the semantics. (I can't.) I think that the ABNF should probably just be the prefix, followed by name-value pairs. I don't see a reason to have a separate sub-scheme. Out of curiosity, what would people think if instead of defining yet-another-serialization-format, we used JSON for this, e.g. WWW-Authenticate: Token <json> > I am purposely not including the RSA option since it is no sufficiently defined. > If there is a need for it (Google was the only company asking for it and they now > support other alternatives) we can discuss how to implement it in this new proposal. RSA is important. Public key crypto is a building block we shouldn't leave out. Not having it means we can't ever do any kind of automatic consumer discovery. That said, RSA might only get used when requesting access tokens, not when using them. There is no RSA private key associated with an access token, so it's kind of hard to use it. =) Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.