[cap-talk] OAuth and OCAP?
Karp, Alan H
alan.karp at hp.com
Wed Jun 2 15:27:09 PDT 2010
OAuth 2.0 (essentially OAuth-WRAP; OAuth 1.0 is a completely different beast.) is almost a capability system, but not quite. It's like a capability system in that you authenticate (with OpenID if you like) to get an authorization token, which you can pass on to others. It's not a capability system in that the token is not mandated to designate the resource. The Kantara Initiative User Managed Access people had a confused deputy because of this shortcoming. There are other, less important oddities in the protocol that make it not quite o-caps.
I'm up on this because I attended the recent Internet Identity Workshop. It's fun. People on this list should go.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk