[cap-talk] Why tokens have short lifetimes in OAuth-WRAP
Karp, Alan H
alan.karp at hp.com
Thu Mar 18 08:20:54 PDT 2010
David Barbour wrote:
A far better response to my question than what I got from the WRAP folks.
The disconnect is based on the approach we used for our ZBAC implementation where the service is its own root of trust. In our scheme, the token originates with the service and is delegated to the authorization service. The authorization service delegates a separately revocable token to the user, and the user presents that token when making a request. In our approach, a revocation request goes to the service, not the authorization service. Hence, there is no communication needed for the service to find out if a token has been revoked. That approach can be adapted to WRAP. Since the token is specific to the service, the authorization service can notify the service when a token has been revoked.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list