On Mon, Apr 16, 2012 at 12:07 PM, Derek Atkins <de...@ihtfp.com> wrote: > > I think there are two main differerences between webfinger and swd: > > a) whole-document vs. individual attributes > b) a perceived authorization model to control access to said attributes > > In particular I feel there are some specific security requirements that > must be bet by the protocol, but I think it's easily accomplished by > a small amount of text that effectively says: > > 1) requestors of the service should authenticate (or be treated as an > anonymous user) > 2) content returned must be dynamic and dependent on the authorization > of the authenticated user. >
I think requesters MAY authenticate, not SHOULD. > > This leaves only the perceived issue of "whole document" vs "individual > attribute". If a client ever wants more than one attribute then a whole > document approach reduces the number of round trips. However if > documents get large that could also affect performance. We might, then, > need a way to specify which attributes are requested, but allow for a > wildcard to return "everything I am authorized to see". > Something like the PoCo query model?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
