On Tue, Nov 11, 2014 at 3:50 PM, Peter Saint-Andre - &yet <[email protected]> wrote: > On 11/11/14, 2:40 PM, Hannes Tschofenig wrote: >> >> I was unable to attend the UTA meeting today but I had a chance to look >> at the slides. >> >> To my surprise I had to notice that the authors have re-created a number >> of mechanisms we created in OAuth. >> >> I am wondering whether the authors are aware of this or whether this >> re-design (with just minor variations) is intentional. >> >> In either case it isn't great and I encourage the authors to take a look >> at already ongoing efforts. > > > Well, OAuth is just Kerberos for the Web, right? ;-) > > It *could* be (I haven't looked at the slides) that the same underlying > pattern from Kerberos and OAuth/OAuth2 can be applied to UTA in new and > different and interesting ways. > > But in general I'd agree that it's a bit early to be building something > completely new, given that OAuth is of recent vintage.
What exactly is being copied? RFC 6749 doesn't provide a way to ensure cookie stealing doesn't happen. Access tokens aren't bound, so a mechanism needs to be provided to bind them. I don't see where the conflict with OAuth is. Sincerely, Watson Ladd > > Peter > > -- > Peter Saint-Andre > https://andyet.com/ > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
