On 04/02/2010 01:57 AM, Peter Saint-Andre wrote:
On 3/24/10 11:32 AM, Leif Johansson wrote:
On 03/23/2010 12:00 AM, Eve Maler wrote:
Since the discussion in the "OAuth after-party" seemed to warrant
bringing it up, I mentioned the UMA design principles/requirements
document. You can find it here:
http://kantarainitiative.org/confluence/display/uma/UMA+Requirements
The discussion is around "Why can't Kerberos just be used for your use
cases?" The UMA principles might be able to inform how the OAuth WG
makes its case for why Kerberos doesn't suffice. (If we discover it
does, hey, our work here is done. :-)
There are two threads here
- why Kerberos _as such_ does or does not work for the use-cases
- what experiences from 3rd party schemes such as Kerberos or STS are
valuable for OAuth.
Being long-time Kerberos-fanboy I still say that one of those threads
are interesting and the other isn't.
I think its much more valuable to talk about how to distill experience
from Kerberos (etc) which are applicable to the design of OAuth.
Agreed. Do you know if anyone has written up the design principles
behind (or lessons learned) from Kerberos and STS? If not, we'll need to
start prodding people into sharing their wisdom...
Thomas, does the mitkc has something written on the subject of Kerberos
from 10k feet that might be useful in this context? I'm cc:ing lha who
also has tons of implementation experience.
Cheers Leif
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
