What's generally done today (think Google Calendar, Flickr, etc.) is use
"private" URLs and mail them around. It doesn't really meet anyone's standards
for controlling access to anything valuable -- but it sure is convenient. :-)
Eve
On 14 Jan 2010, at 11:53 AM, Igor Faynberg wrote:
> John Kemp wrote:
>> ...
>> What delegated authorization protocol should be used to deal with those "not
>> so serious" use-cases then, if OAuth makes them too expensive?
>>
>>
> I expected this question and dreaded it. I don't have a good answer, and I
> don't think there is one. (In my defense, the airport security cannot find
> the way around the wait-wait-wait/shoes-off/belts-off/watches-off routine for
> "good" people--who are actually the majority.)
>
> One not-so-good answer, but--I think--a workable one is to consider an
> (enumerated type) parameter carrying a required security value, something
> that would have to come from the user initially, and then specify TLS or any
> other cryptographic delicacy based on such value. The only problem is that
> end users might happily settle for the highest security, anyway (unless they
> have to pay for it).
>
> Igor
Eve Maler
[email protected]
http://www.xmlgrrl.com/blog
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
