On 2/3/2011 5:00 PM, Eran Hammer-Lahav wrote:
Yes. I think automatic registration and other mechanisms for discovery and
obtaining credentials are going to be extremely useful. We're just not there
yet.
This issue does not only need to be related to automatic registration.
With respect to standardizing certain functionality you can decide that
a) a certain feature (call it an interface) is out-of-scope
(it may be standardized later)
You describe them as out-of-scope. Done.
b) you want to describe it at a level that ensures interoperability.
Since OAuth is more a framework than just a single protocol (or a small
number of protocol extensions) you do not need to even envision
standardization of every part of it.
When you go for (b) then you better pick one way to offer a certain
feature unless there is a very good reason to have more than one. Such
reason may exist in case of cryptographic algorithms (which may get
broken over time), etc.
So, do I get the impression that you are essentially saying that
- you would rather go for (a) and postpone the standardization of the
entire client authentication,
- you want to go for (b) but you do not want to have something in the
base specification, or
- you would go for (b) but you just want to restrict the options down to
a smaller set?
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
