On Jul 13, 2010, at 2:46 PM, Richer, Justin P. wrote: >>> I would be very unhappy if we equated access tokens with passwords. >>> >>> I agree with Dirk that "capability" is a more expressive phrase than either >>> "shared secret" or "password". > >> Expressive to you and people well-versed in security theory. It means >> nothing to a casual reader. The token definition includes the term, but in >> this section, it is referring to how an access token is used, and it is used >> just like a password. > > Definitely agree with Eran here. The term "capability" doesn't mean much to > me in this circumstance, but "like a password" tells me exactly what I, as an > implementer, can expect.
Perhaps so, but it doesn't correctly describe how the token should be used, or deal with the difference between authentication and authorization. It also doesn't reflect the language used elsewhere in the specification. Regards, - johnk > > -- Justin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
