Yep. The entire authentication/authorization discussion is sadly muddled. The OAuth/OpenID hybrid proposal is adding to the confusion.
Sometimes I feel like we (people who have interest in the two concepts) maintain there is a difference to justify standards' existence, even if it's largely an academic difference with no pragmatic real meaning. Other times it feels okay that they should be separate. Just one of those things, I guess. For the longest time oauth.net claimed OAuth was for API authentication and no one really noticed. The only thing worth being very strict about, IMO, is identity and authentication. Never the twain should meet. It's HMACs all the way down anyway :) Hans On Wed, Jan 28, 2009 at 12:02 PM, John Kristian <[email protected]> wrote: > > Yes, a digital signature can be used for authentication. SSL/TLS is > one example. OAuth specifies some signing algorithms that could be > used for the purpose. > > But it seems dangerous to extend OAuth to do authentication as well as > authorization. Better for OAuth to focus on doing one thing really > well. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
