John Kemp wrote:
...
What delegated authorization protocol should be used to deal with those "not so
serious" use-cases then, if OAuth makes them too expensive?
I expected this question and dreaded it. I don't have a good answer,
and I don't think there is one. (In my defense, the airport security
cannot find the way around the
wait-wait-wait/shoes-off/belts-off/watches-off routine for "good"
people--who are actually the majority.)
One not-so-good answer, but--I think--a workable one is to consider an
(enumerated type) parameter carrying a required security value,
something that would have to come from the user initially, and then
specify TLS or any other cryptographic delicacy based on such value. The
only problem is that end users might happily settle for the highest
security, anyway (unless they have to pay for it).
Igor
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
