Brian, > - basic auth has existing semantics for "realm". > They aren't the same semantics we need for OAuth." Could you explain this a bit more? What semantics does OAuth need? BASIC only assumes a realm is unambiguous in the context of one site. That is probably more limited than many OAuth providers want. However, I can't see any problems with a delegation flow expanding that: eg saying "treat *.example.net and api.example.com as a single context for realm values". > - using the basic auth scheme would cripple our ability to add new > signature methods. I don't understand this one. How does it preclude defining a separate MAC scheme or RSA scheme? > If we want to use bearer tokens, we should just drop the token secret altogether. I think I agree here. It would be helpful to support bearer tokens as one OAuth option (making the secret optional in the delegation flow and defining a "Authorization: Id <token>" scheme specifically for this case). James
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.