[cap-talk] OAuth vs. CapDoc contrast

Karp, Alan H alan.karp at hp.com
Sun Sep 30 20:22:55 EDT 2007 

Ben Laurie wrote:
> 
> Many service providers are reluctant to use HTTPS for all their
> traffic because of the load it imposes.
> 
That means that the content you're trying to limit access to is being
sent in the clear.  Somehow that doesn't seem compatible with the
complexity of the protocol intended to protect access.  If the webkeys
are single use, you're only risking the webkey to the extent that OAuth
is risking your data.
> 
> > 2. Appendix B.9 implies that the authorization token grants 
> the consumer
> > access to all the user's protected resources, not just the 
> one the user
> > authorized.  Is this choice just an optimization?
> 
> It should not imply that. The token should grant consumer only to what
> the user authorised.
> 
Appendix B.9 says: 
--------
By itself, OAuth does not provide any method for scoping the access
rights granted to a Consumer. A Consumer either has access to Protected
Resources or it doesn't. Many applications will, however, require
greater granularity of access rights. For example, Service Providers may
wish to make it possible to grant access to some Protected Resources but
not others, or to grant only limited access (such as read-only access)
to those Protected Resources.
---------
I had assumed that was done so the user didn't need to keep returning to
the server for each authorization.
> 
> No, but once OAuth is baked, I do plan to work on a delegation
> standard. Are you interested in helping?
> 
Maybe once I'm convinced that OAuth is a reasonable approach.  The main
disadvantage I see is the server- and consumer-side changes that are
needed.  The complexity is something else I'd like to see justified.
> 
> One answer is that then you would not be able to delegate.

Of course you can delegate a webkey.  Just send it in an email.  Of
course, you'll be held responsible for how it's used, but that's your
choice when you delegate.  I can envision using Horton, but then we're
back to server- and consumer-side changes.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list