Hmm. Historically the separation came from the way the communities grew up actually. There were thoughts initially to make OAuth and extension of OpenID but because I was wary of the politics within the OpenID community, I pushed for keeping OAuth completely separate and avoid having to do anything with authentication (so that it could be used with OpenID, but would have its own adoption curve). The typo on the homepage was probably my fault, since, being the identity n00b, I didn't realize the difference until after I went home from the DevHouse where I put up the homepage after a couple beers. It didn't change because (apparently!) no one else seemed to read it that closely.
Funny how these things develop -- not always out of explicit intention, but just because of the time allotted to get the thing out the door! ...as for your idea, George, I think I get it, and it sounds interesting. Can you give a concrete example where that could be used today? Chris On Wed, Jan 28, 2009 at 12:58 PM, Hans Granqvist <h...@granqvist.com> wrote: > > Yep. The entire authentication/authorization discussion is sadly muddled. > The OAuth/OpenID hybrid proposal is adding to the confusion. > > Sometimes I feel like we (people who have interest in the two concepts) > maintain there is a difference to justify standards' existence, even if > it's largely an academic difference with no pragmatic real meaning. > > Other times it feels okay that they should be separate. Just one of those > things, I guess. > > For the longest time oauth.net claimed OAuth was for API authentication > and no one really noticed. > > The only thing worth being very strict about, IMO, is identity and > authentication. Never the twain should meet. > > It's HMACs all the way down anyway :) > > Hans > > > On Wed, Jan 28, 2009 at 12:02 PM, John Kristian <jmkrist...@gmail.com> > wrote: > > > > Yes, a digital signature can be used for authentication. SSL/TLS is > > one example. OAuth specifies some signing algorithms that could be > > used for the purpose. > > > > But it seems dangerous to extend OAuth to do authentication as well as > > authorization. Better for OAuth to focus on doing one thing really > > well. > > > > > > > > > -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---