Tuesday, November 28, 2006

Complete transparency isn't always appropriate

A perfect example.

In web service security, the token can be opaque to certain actors (e.g. to a client presenting a bearer token, or to a Liberty Alliance People Service forwarding on an identity token) but other actors will need to be able to look into the same tokens (e.g. the WSP receiving the above token).

Like lettuce in the very back corner of the vegetable crisper, tokens don't last forever.

No comments: