On Wed, 22 Feb 2012, Julian Reschke wrote: > On 2012-02-22 08:04, David Morris wrote: > > > > > > On Tue, 21 Feb 2012, Michael Richardson wrote: > > > > > > > > > > > > > "Barry" == Barry Leiba<barryleiba@xxxxxxxxxxxx> writes: > > > Barry> OAuth is an authorization framework, not an authentication > > > Barry> one. Please be careful to make the distinction. > > > > > > Barry> What we're looking at here is the need for an HTTP > > > Barry> authentication system that (for example) doesn't send > > > Barry> reusable credentials, is less susceptible to spoofing > > > Barry> attacks, and so on. > > > > > > and is implemented in HTTP, not in terms of HTML forms, yet has all the > > > flexibility of the HTML form method? > > > > And includes the ability for the user to logoff / the server reset the > > login? > > Is that a protocol problem or a user agent problem? > > -- > <http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html> I consider it a protocol issue in the same way that authentication is a protocol issue. The question I was responding to was one of adoption by application developers and is in addition to the lack of application control over the current authenticate dialog. A "use case" if you will. The JS approach isn't really adequate because not all user agents execute the payload. Second 1/2 of the "use case." I'm not advocating that this be solved as part of the Recharter/2.0 activity, I'm neutral on the where question. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf