On Sat, Oct 3, 2009 at 10:46 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote: > *** It would be helpful if other people chime in on this topic. This is a > critical decision we need to make regarding new schemes. One proposal > is to have different scheme for different type of access (direct vs. delegated). > Another is to reusing existing scheme (with a new MAC-based one) for both > usernames and tokens, and differentiating them on the server side using the > credential structure (token or username) and on the client side using the > realm parameter (and the header order). Of course, there are probably other > proposals coming. *** Eran points out that I've posted several times to this thread without actually answering the question he asked. =) I don't think we should use basic auth to send tokens. I'd rather see us use a new auth scheme. - basic auth has existing semantics for "realm". They aren't the same semantics we need for OAuth. - using the basic auth scheme would cripple our ability to add new signature methods. It is in theory possible to treat a token as a username and a token secret as a password, but I don't think it would be a particularly useful thing to do. If we want to use bearer tokens, we should just drop the token secret altogether. Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.