Re: [OAUTH-WG] What are the OAuth design principles?
On 04/02/2010 01:57 AM, Peter Saint-Andre wrote: On 3/24/10 11:32 AM, Leif Johansson wrote: On 03/23/2010 12:00 AM, Eve Maler wrote: Since the discussion in the OAuth after-party seemed to warrant bringing it up, I mentioned the UMA design principles/requirements document. You can find it here: http://kantarainitiative.org/confluence/display/uma/UMA+Requirements The discussion is around Why can't Kerberos just be used for your use cases? The UMA principles might be able to inform how the OAuth WG makes its case for why Kerberos doesn't suffice. (If we discover it does, hey, our work here is done. :-) There are two threads here - why Kerberos _as such_ does or does not work for the use-cases - what experiences from 3rd party schemes such as Kerberos or STS are valuable for OAuth. Being long-time Kerberos-fanboy I still say that one of those threads are interesting and the other isn't. I think its much more valuable to talk about how to distill experience from Kerberos (etc) which are applicable to the design of OAuth. Agreed. Do you know if anyone has written up the design principles behind (or lessons learned) from Kerberos and STS? If not, we'll need to start prodding people into sharing their wisdom... Thomas, does the mitkc has something written on the subject of Kerberos from 10k feet that might be useful in this context? I'm cc:ing lha who also has tons of implementation experience. Cheers Leif ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] What are the OAuth design principles?
On 3/24/10 11:32 AM, Leif Johansson wrote: On 03/23/2010 12:00 AM, Eve Maler wrote: Since the discussion in the OAuth after-party seemed to warrant bringing it up, I mentioned the UMA design principles/requirements document. You can find it here: http://kantarainitiative.org/confluence/display/uma/UMA+Requirements The discussion is around Why can't Kerberos just be used for your use cases? The UMA principles might be able to inform how the OAuth WG makes its case for why Kerberos doesn't suffice. (If we discover it does, hey, our work here is done. :-) There are two threads here - why Kerberos _as such_ does or does not work for the use-cases - what experiences from 3rd party schemes such as Kerberos or STS are valuable for OAuth. Being long-time Kerberos-fanboy I still say that one of those threads are interesting and the other isn't. I think its much more valuable to talk about how to distill experience from Kerberos (etc) which are applicable to the design of OAuth. Agreed. Do you know if anyone has written up the design principles behind (or lessons learned) from Kerberos and STS? If not, we'll need to start prodding people into sharing their wisdom... Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] What are the OAuth design principles?
Since the discussion in the OAuth after-party seemed to warrant bringing it up, I mentioned the UMA design principles/requirements document. You can find it here: http://kantarainitiative.org/confluence/display/uma/UMA+Requirements The discussion is around Why can't Kerberos just be used for your use cases? The UMA principles might be able to inform how the OAuth WG makes its case for why Kerberos doesn't suffice. (If we discover it does, hey, our work here is done. :-) Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] What are the OAuth design principles?
My design principles would be the following as we already have protocols that solve many complex usecases 1. Simple programming model 3. Reduce deployment barriers 2. Limited or no client side code (works with a browser) 3. Replace username/password scenarios 4. No client side key distribution nightmares -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eve Maler Sent: Monday, March 22, 2010 4:01 PM To: OAuth WG Subject: [OAUTH-WG] What are the OAuth design principles? Since the discussion in the OAuth after-party seemed to warrant bringing it up, I mentioned the UMA design principles/requirements document. You can find it here: http://kantarainitiative.org/confluence/display/uma/UMA+Requirements The discussion is around Why can't Kerberos just be used for your use cases? The UMA principles might be able to inform how the OAuth WG makes its case for why Kerberos doesn't suffice. (If we discover it does, hey, our work here is done. :-) Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth