--Richard On Nov 24, 2009, at 9:55 AM, Paul C. Bryan wrote:
People generally refer to RFC 2617 as (HTTP) "Basic" and "Digest" authentication methods. Since OAuth is going toward "Token" as the method type in the Authorization header, it seems to be consistent to refer to it in similar fashion. On Tue, 2009-11-24 at 08:54 -0500, Richard Barnes wrote:The high-level separation makes sense; I'm fine with reserving OAuth for the delegation flow and calling the authentication method something else. (Digression: Could this be helpful in allowing other authentication mechanisms into OAuth?)That said, I'm not sure "Token Auth" is quite accurate (you could justas well pass a token over Basic). The important thing about the authentication scheme that OAuth defines is that it provides some of the benefit of Digest (e.g., it doesn't reveal secrets) but without requiring two RTTs. Maybe something like "Direct Auth" ("One-Shot"? "Simple-Digest"?). On the other hand, it is just a name. That which we call OAuth, by any other name.. --Richard On Nov 24, 2009, at 12:45 AM, Eran Hammer-Lahav wrote:How do people feel about using OAuth as the name for the different flows to obtain a token, including the new flows defined in WRAP, and calling the authentication part simply the Token Authentication scheme, in line with Basic and Digest? I think this would be much more in-line with people's expectations of the OAuth "brand". EHL _______________________________________________ OAuth mailing list OAuth at ietf.org https://www.ietf.org/mailman/listinfo/oauth_______________________________________________ OAuth mailing list OAuth at ietf.org https://www.ietf.org/mailman/listinfo/oauth
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.