On Jan 14, 2010, at 2:15 PM, Igor Faynberg wrote: > John Kemp wrote: >> ... >> And I think there are such cases - rather vaguely I could say that the broad >> category would be anything for which a large volume of authorized requests >> is possible, and where the "value" in an individual request is low. That >> certainly does not include email, which I rather think _is_ deserving of >> confidentiality over insecure networks (of course, Gmail does allow you to >> turn off https if you are in a more secure network environment). >> >> ... > There definitely are such use cases. For instance, if I kept a photo album on > Flicker and asked Kodak to print it, I personally would not care if others > got access to this album by replaying (or just learned that I was trying to > print some pictures). But I envision that OAuth will be used in much more > serious cases, where the "value" will be high. The problem is that allowing > individuals users to judge the value, understand the risks, and make their > own decisions in specific cases is not a good idea. The protocol must enforce > it.
What delegated authorization protocol should be used to deal with those "not so serious" use-cases then, if OAuth makes them too expensive? Cheers, - johnk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
