>>> One use case (I think I saw it mentioned somewhere else on the list) >>> where we've used the URI parameters is when we want the server to sign a >>> URL and then pass that signed value to the browser to load. >>> This can be done with a simple 302 and the signed URL. >> Yep. I've seen that done multiple places. >> >> One more unexpected use of OAuth... > Can you describe the actual use case? Amazon S3 (simple storage service) offer this feature. You can store your private data in S3. To access it you digitally-sign your HTTP requests (using HMAC) -- putting the signature in an HTTP Authorization header. If you want to give another user (temporary) access to one piece of your data, you send them a signed URI for that data. They can now download the data. They never get your S3 credentials. They can access the data from a standard browser. The bulk data transfer can go straight from S3 to their browser, not via your computer. I believe it is useful for buying content (movies, software...). Once you have paid you get the signed URI, it times-out shortly afterwards. James Manger James.H.Manger at team.telstra.com Identity and security team — Chief Technology Office — Telstra
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.