On 2010-09-26, at 11:02 PM, Eran Hammer-Lahav wrote: > Clearly, this group is making choices based on the kind of applications using > OAuth 1.0 today. The decision to focus on bearer tokens came from specific > experiences and types of consumer web services.
Any other applications are hypothetical. > > I'm all for a simple and generic way to issue a token with additional > attributes such as a secret, required algorithm, etc. But main objection is > to the publication of a standard that promotes bearer token as its "purest" > form, and moves something that I consider a core security component to > somewhere else. It is only a core security component in some use cases. > What I absolutely object to is presenting a specification that to a new > reader will read as if bearer tokens are the default way to go. OAuth 2.0 > core today reads like a complete protocol and that's my problem. It is a complete protocol for many existing use cases. For those use cases where it is not, you can call require signatures and point people to the signature spec, just like the use of bearer tokens points people to the TLS specs. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
