Tonight, a smaller, bi-focused sweep: Identity and HTTP.
Back in May, Sun rolled out an OpenID provider with a twist; it was only available to Sun employees. A bunch of the people who were involved in the work have written up the story, its background, the engineering details, and some of the issues around it; check out Lauren Wood’s series index.
There’s something called OAuth that’s starting to make waves around the identity space. I haven’t dug into it yet, but I should.
After some months of silence, James Clark (yes, that James Clark) has had a burst of writing energy, focusing on the problem of digital signatures for HTTP payloads. The pieces so far, in order, are Bytes not infosets, Integrity without confidentiality, Why not S/MIME?, HTTP response signing abstract model, HTTP: what to sign?, and HTTP response signing strawman. All worth reading.
While on the subject of HTTP, some people at the IETF are trying to get organized to revise RFC2616. So far, on balance, I’m far from convinced of that the return on investment would be positive.