Tonight, a smaller, bi-focused sweep: Identity and HTTP.
Back in May, Sun rolled out an OpenID provider with a twist; it was only available to Sun employees. A bunch of the people who were involved in the work have written up the story, its background, the engineering details, and some of the issues around it; check out Lauren Wood’s series index.
There’s something called OAuth that’s starting to make waves around the identity space. I haven’t dug into it yet, but I should.
After some months of silence, James Clark (yes, that James Clark) has had a burst of writing energy, focusing on the problem of digital signatures for HTTP payloads. The pieces so far, in order, are Bytes not infosets, Integrity without confidentiality, Why not S/MIME?, HTTP response signing abstract model, HTTP: what to sign?, and HTTP response signing strawman. All worth reading.
While on the subject of HTTP, some people at the IETF are trying to get organized to revise RFC2616. So far, on balance, I’m far from convinced of that the return on investment would be positive.
Comment feed for ongoing:
From: Henri Sivonen (Oct 19 2007, at 01:26)
I am not optimistic about the HTTP revision work. The thread starting at http://lists.w3.org/Archives/Public/ietf-http-wg/2006OctDec/0190.html shows that the HTTP WG hasn't adopted a WHATWGish view on browser market realities.
From: Blaine Cook (Oct 19 2007, at 15:29)
James' writings are fantastic - with OAuth, we definitely erred on the side of simplicity, but I'd love to see extensions that allow for the OAuth pattern to be applied without user intervention, and with signing of more than just the request body.