On Jan 14, 2010, at 5:45 PM, Eve Maler wrote: > What's generally done today (think Google Calendar, Flickr, etc.) is use > "private" URLs and mail them around. It doesn't really meet anyone's > standards for controlling access to anything valuable -- but it sure is > convenient. :-)
Right, so the URL itself is a bearer token, perhaps with usage limitations, like a limited timeframe when you get a 200 response from dereferencing the URL ;) - johnk > > Eve > > On 14 Jan 2010, at 11:53 AM, Igor Faynberg wrote: > >> John Kemp wrote: >>> ... >>> What delegated authorization protocol should be used to deal with those >>> "not so serious" use-cases then, if OAuth makes them too expensive? >>> >>> >> I expected this question and dreaded it. I don't have a good answer, and I >> don't think there is one. (In my defense, the airport security cannot find >> the way around the wait-wait-wait/shoes-off/belts-off/watches-off routine >> for "good" people--who are actually the majority.) >> >> One not-so-good answer, but--I think--a workable one is to consider an >> (enumerated type) parameter carrying a required security value, something >> that would have to come from the user initially, and then specify TLS or any >> other cryptographic delicacy based on such value. The only problem is that >> end users might happily settle for the highest security, anyway (unless they >> have to pay for it). >> >> Igor > > Eve Maler > [email protected] > http://www.xmlgrrl.com/blog > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
