On Feb 18, 2010, at 9:14 AM, Eran Hammer-Lahav wrote: > A few questions we should answer before moving forward. Considering *your* > use cases and reasons for being here: > > 1. Why are you here? What are you trying to solve that is not already > addressed by existing specifications (OAuth 1.0a, WRAP, etc)?
I'm here because I believe that openness can make the internet a better place. In a perfect world, an app developer wouldn't have to write code for each new service provider; everything would just work. More concretely, I'm here because I want to help develop OAuth into something suitable not only for the average-sized site, but suitable even for a site as large and complicated as Facebook to adopt as its main authorization protocol. The problems with OAuth 1.0a are that the flow is too complicated, the protocol is non-performant (specifically, too many roundtrips), and it doesn't support non-website use cases such as desktop or mobile as effectively as other protocols. > > 2. Should the WG start by taking WRAP or OAuth 1.0a as its starting point? > Something else? By focusing on actual use cases, I believe WRAP has more potential as a starting point. However, OAuth 1.0a is more mature. Either would be fine as a starting point. > > 5. Do you think the approach of working first on 'how to use a token' and > then on 'how to get a token' is right? Yes. > > 6. Should we go back to working on a single specification? I'm not sure if working on a single specification is the right answer (e.g., we might want one specification for obtaining tokens and another one for how to use them), but I believe we should unify efforts on a set of interoperable standards instead of working on competing ones. > > 7. Do you think the protocol should include a signature-based authentication > scheme? Yes. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
