"Murray S. Kucherawy" <m...@cloudmark.com> writes: > Thank you Stephen, I think. :-) > > So the discussion on apps-discuss now should be focused on which of the two > should be the basis for forward progress. I've placed both documents in > "Call for Adoption" state in the datatracker for appsawg.
>From an OAUTH perspective I believe that we should help define the requirements of what this protocol needs to provide (be it webfinger, swd, or yadp (Yet Another Discovery Protocol) -- whatever it's named!) I think there are two main differerences between webfinger and swd: a) whole-document vs. individual attributes b) a perceived authorization model to control access to said attributes In particular I feel there are some specific security requirements that must be bet by the protocol, but I think it's easily accomplished by a small amount of text that effectively says: 1) requestors of the service should authenticate (or be treated as an anonymous user) 2) content returned must be dynamic and dependent on the authorization of the authenticated user. This leaves only the perceived issue of "whole document" vs "individual attribute". If a client ever wants more than one attribute then a whole document approach reduces the number of round trips. However if documents get large that could also affect performance. We might, then, need a way to specify which attributes are requested, but allow for a wildcard to return "everything I am authorized to see". > Let the games begin. Heh. Play ball! > -MSK > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
