Paul,
The draft-15.1 abstract is just the first sentence of the abstract I suggested last month [http://www.ietf.org/mail-archive/web/oauth/current/msg05693.html and below]. The rest covered OAuth's other major aspect: issuing temporary credentials that resource servers can handle, while a separate service can handle permanent or exotic credentials (eg assertions). Does it fit what you were after? Your "directly negotiate access" phrase hints that there is more to OAuth 2 than delegation, but I'm not sure that it explains it. -- James Manger From: [email protected] [mailto:[email protected]] On Behalf Of Paul Madsen Sent: Thursday, 7 April 2011 1:15 AM To: Eran Hammer-Lahav Cc: [email protected] Subject: Re: [OAUTH-WG] draft-15 editorials Proposed text The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of an end-user by orchestrating an approval interaction between the end-user and the HTTP service, or by allowing the third-party application to directly 'negotiate', on its own behalf, such access with the HTTP service. And I acknowledge the concerns that 'negotiate' might create, thus the air quotes .... paul From: [email protected] [mailto:[email protected]] On Behalf Of Manger, James H Sent: Thursday, 17 March 2011 1:40 PM To: OAuth WG Subject: [OAUTH-WG] OAuth2 abstract Comments on draft-ietf-oauth-v2-13: 1. Abstract The 1-line abstract is not helpful - it merely repeats the title. The abstract is important as it is the text most widely seem around the rest of the IETF community (eg in announcements of drafts and RFCs) and beyond. It needs to mention: users delegating access to applications; applications orchestrating that delegation; swapping permanent credentials for short-lived access tokens; and that it uses HTTP. Here is my suggestion: "The OAuth 2.0 authorization protocol allows an application to gain limited permission to access an HTTP service on behalf of a user by orchestrating an approval interaction between the user and the service. OAuth 2.0 uses temporary credentials, issued by an HTTP service either directly to an application or to represent user-delegated permissions. A collection of HTTP services can accept temporary credentials without needing to handle long-term user or application credentials, which can be restricted to a secure service that issues the temporary credentials." I think this text can be understood without knowing any of the specialised terms introduced later in the specification. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
