Hey Blaine, Thanks for typing this up!
I think I understand what you're trying to do here, and I appreciate the "I really don't care how you do auth" approach; the core of what you want is the "From" header. I think it would be very helpful for newbies to this idea of "asynchronous authentication" if you provided a complete play-by-play flow of subscribing to content where you actually use real protocols for each step in the process (e.g., PubSubHubbub with WebFinger callback auth). Then you can highlight the parts that are pluggable and abstract from there. Of course this would be non-normative. -Brett On Tue, Jul 13, 2010 at 6:34 PM, Blaine Cook <[email protected]> wrote: > Attached is a[n early] and long-promised draft of a relatively > insecure but easy-to-implement approach to decentralized authorization > using webfinger. Feedback is most welcome, especially in the lead-up > to the Federated Social Web summit in Portland this weekend. > > For those concerned about security, don't despair, crypto can be > layered on like maple syrup at a sugar shack. :-) > > b. >
