[Standards] Authorization over HTTP

Tomasz Sterna tomek at xiaoka.com
Fri Nov 9 10:00:11 UTC 2007


Dnia 09-11-2007, Pt o godzinie 09:15 +0000, Kevin Smith pisze:
> a way to authenticate a third party as you, without  
> revealing your credentials to them.

This is not the way to go. I would not trust a third party, for full
access to all my server data.

Correct way to go, is to allow a third party access to encapsulated
parts of the user data. Permanent, time-framed or one-time.
And this is what OpenID was designed for and is good at.
One just need to allow "roster read access", "vcard read access" right
for the requesting site and it's done.
This would require OpenID frontend to jabberd server data. Easy thing to
implement.

What we could design though, is XMPP based transport for OpenID requests
between servers.
But IIUC the main PITA is XMPP usage, because it's easier and more
natural for web servers to talk HTTP not XMPP.


-- 
  /\_./o__ Tomasz Sterna
 (/^/(_^^'  Xiaoka.com
._.(_.)_  XMPP: smoku at xiaoka.com




More information about the Standards mailing list