Re: [OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)

YES!!! (I wish I could have made this point myself as clear as George did.) In fact, I think this ought to be a fundamental requirement for OAuth applicability within several domains, health services in particular. Igor George Fletcher wrote: ... The point of signatures is not to enable au

[OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)

Putting the use cases on the table is good because it makes things much clearer. Unfortunately, it's clear that this use case does not work. I'd like to number the steps under "Requirements" so I can refer to them unambiguously: 1. The application at www.sleepwell.example.com

Re: [OAUTH-WG] Signatures...what are we trying to solve?

Hi Zachary, Here is a use case for signed messages. I've tried to keep this in the format of the other OAuth use cases. Please contact me off-list if there are editorial changes required. I've include the list to see if others have feed back on this use case. Thanks, George Use case: Signe

[OAUTH-WG] On splitting the spec and the scope of signatures

Apologies in advance for adding a new thread, but I've only just switched from digest mode. I'm jumping into the middle of the discussion as our organization (kiva.org) is in the process of becoming an OAuth provider and we're planning to start with a OAuth 2.0-based API (or nearly so) out of th

Re: [OAUTH-WG] Comparing the JSON Token drafts

I don't believe that negotiation (policy) has to be part of this proposal, so in the spec if one of the claims is not supported then the token MUST not be processed. We have this today in the web services security stack and there are really no issues. From: Dirk Balfanz [mailto:balf...@google.c