Re: [OAUTH-WG] draft-15 editorials

Thu, 07 Apr 2011 06:14:49 -0700 

Hi James, sorry I didnt see your earlier suggestion.
And your text works for me - just looking for text that hints at something beyond delegation 

thanks

paul

On 4/6/11 11:15 PM, Manger, James H wrote:


Paul,


The draft-15.1 abstract is just the first sentence of the abstract I 
suggested last month 
[http://www.ietf.org/mail-archive/web/oauth/current/msg05693.html and 
below]. The rest covered OAuth's other major aspect: issuing temporary 
credentials that resource servers can handle, while a separate service 
can handle permanent or exotic credentials (eg assertions). Does it 
fit what you were after?



Your "directly negotiate access" phrase hints that there is more to 
OAuth 2 than delegation, but I'm not sure that it explains it.


--

James Manger


*From:*oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On 
Behalf Of *Paul Madsen

*Sent:* Thursday, 7 April 2011 1:15 AM
*To:* Eran Hammer-Lahav
*Cc:* oauth@ietf.org
*Subject:* Re: [OAUTH-WG] draft-15 editorials

Proposed text


The OAuth 2.0 authorization protocol enables a third-party application 
to obtain limited access to an HTTP service, either on behalf of an 
end-user by orchestrating an approval interaction between the end-user 
and the HTTP service, or by allowing the third-party application to 
directly 'negotiate', on its own behalf, such access with the HTTP 
service.



And I acknowledge the concerns that 'negotiate' might create, thus the 
air quotes ....


paul


*From:*oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On 
Behalf Of *Manger, James H

*Sent:* Thursday, 17 March 2011 1:40 PM
*To:* OAuth WG
*Subject:* [OAUTH-WG] OAuth2 abstract

Comments on draft-ietf-oauth-v2-13:

1. *Abstract*


The 1-line abstract is not helpful -- it merely repeats the title. The 
abstract is important as it is the text most widely seem around the 
rest of the IETF community (eg in announcements of drafts and RFCs) 
and beyond. It needs to mention: users delegating access to 
applications; applications orchestrating that delegation; swapping 
permanent credentials for short-lived access tokens; and that it uses 
HTTP. Here is my suggestion:


  "The OAuth 2.0 authorization protocol allows an application to gain
  limited permission to access an HTTP service on behalf of a user by
  orchestrating an approval interaction between the user and the service.
  OAuth 2.0 uses temporary credentials, issued by an HTTP service either
  directly to an application or to represent user-delegated permissions.
  A collection of HTTP services can accept temporary credentials without
  needing to handle long-term user or application credentials, which
  can be restricted to a secure service that issues the temporary
  credentials."


I think this text can be understood without knowing any of the 
specialised terms introduced later in the specification.


--

James Manger


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to