[Mailman-Developers] SUBMIT and OpenID, was Two more DMARC mitigations

[Joshua Cranmer 🐧]

On 6/16/2014 9:28 PM, Stephen J. Turnbull wrote:
> Were we (on dmarc at ietf) talking all along about OpenID when we wrote
> "OAuth"?  They're different, although I don't know exactly how or why
> (and neither RFC made obvious mention of the other :-( ).

OAuth calls itself an authorization framework. I like to think of it 
personally as a less secure and less well-specified variant of Kerberos. 
:-) OpenID in contrast is more of a third-party authentication provider. 
It looks like OpenID is repositioning itself to work on top of OAuth 2.0 
with OpenID Connect, though.

The problem with OAuth is that a lot of its details are left up to the 
whims of the implementor, such as the location of its various endpoints 
or even what elements in the query are mandatory. Figuring out how to go 
from "email address" to "OAuth bearer token" is currently impossible 
without hardcoding a lot of mapping details.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist