[cap-talk] OAuth vs. CapDoc contrast

Karp, Alan H alan.karp at hp.com
Fri Sep 28 19:40:05 EDT 2007 

Jed wrote:
> 
> Thanks for taking time to write Blaine!
> 
I had misunderstood some things about OAuth until I read Jed's
discussion of Blaine's comments.  In particular, the use model is quite
different from what I had thought it was because I hadn't read all the
way to the appendices.  The one sentence in the abstract didn't make it
clear that the user initiates the request made by the consumer.
Clearly, Oauth is not the general purpose authorization mechanism I
thought is was.

I am still confused by some things.

1. Much of the protocol seems to exist to protect the tokens and secrets
when they are used over HTTP.  However, several sections in Appendix B
recommend using HTTPS.  Why not just use HTTPS all the time and simplify
the protocol?  

2. Appendix B.9 implies that the authorization token grants the consumer
access to all the user's protected resources, not just the one the user
authorized.  Is this choice just an optimization?

3. Can an authorization token be delegated?  For example,
printer.example.com prints only text and farms out work on photos to
images.example.org, which never heard of photos.example.net.  Does
printer.example.com have to read the bits and forward them, or is there
a way for images.example.org to read them directly from
photos.example.net.  If so, can images.example.org further delegate the
authorization?

4. Finally, I'll re-ask Jed's question.  Why not just use webkeys?  The
user can go to her account at photos.example.net and be presented with a
"Delegate" button for each resource.  Pressing that button returns a
URL, which can be pasted into a form field at photos.example.net.  That
URL can hold the relevant information granting access to the one
resource being designated and can be revoked after a single use.  

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list