[cap-talk] OAuth and OCAP?

Karp, Alan H alan.karp at hp.com
Wed Jun 2 15:27:09 PDT 2010

OAuth 2.0 (essentially OAuth-WRAP; OAuth 1.0 is a completely different beast.) is almost a capability system, but not quite.  It's like a capability system in that you authenticate (with OpenID if you like) to get an authorization token, which you can pass on to others.  It's not a capability system in that the token is not mandated to designate the resource.  The Kantara Initiative User Managed Access people had a confused deputy because of this shortcoming.  There are other, less important oddities in the protocol that make it not quite o-caps.

I'm up on this because I attended the recent Internet Identity Workshop.  It's fun.  People on this list should go.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20100602/ad5c5be2/attachment.html 

More information about the cap-talk mailing list