I was going to ask this question during the just-concluded WG session at IETF-92, but with a full agenda and little time I thought it might be better to ask this question on-list.
The Registration Data Access Protocol (RDAP, a work product of the WEIRDS WG) uses a RESTful web service to access data associated with things like domain names and IP address blocks. It's intended to be a replacement for the aged WHOIS protocol. I co-authored a security services document for RDAP that describes how a federated authentication system can address an operational need for client identification, authentication, and authorization, but that document doesn't specify any particular solution or how it can actually be deployed. In the near future implementers will be standing up services and I'd like explore some workable options. So, I'm looking for advice from people who know more about federated authentication systems than I do. RDAP clients will be the same type of people who use WHOIS today. Servers will need to be able to identify and authenticate clients and grant appropriate privileges based on their identity and purpose. What kind of federation could be deployed today to meet these needs? Which protocol(s) will do the job and be brain-dead simple for human end users? Scott _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth