> Before I read the draft, can you comment on your use cases for the > HMAC and RSA schemes?
I don’t have a current desire to use the HMAC or RSA schemes. I do have a strong desire NOT to define an OAuth-specific way to sign HTTP requests, that isn't applicable to any app that wants to authenticate "important" parts of a HTTP request with a key, or doesn't follow the existing model for HTTP authentication (including interop given just a user-id and key). My "use case" for HMAC and RSA schemes is that OAuth 1 (specs and implementations), plus Eran’s drafts, use it. I would be happy to see HMAC and RSA schemes dropped from future OAuth specs completely (a la WRAP, but web-style). -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
