On 02/17/2011 11:20 PM, Ted Hardie wrote:
I'm thinking of the URLAUTH mechanism described by LEMONADE: http://tools.ietf.org/search/rfc4467
That's a limited-use proof-of-possession model for authorization, with no authentication implied (just as anyone in possession of a pawn ticket can redeem the item out of pawn). STUN is a user-name and password model either long term or short term. The short-term method can use some out-of-band mechanism to assign time-limited username/passwords. The reason I think of this as a proof-of-possession mechanism is that in the use I'm most familiar with, both the username and password are random strings generated at the time-of-use; they are carried in fields named "username" and "password" in SDP / Jingle, but that doesn't mean they are tied to an user in the traditional sense - that's what makes them "short-term".
It would be nice if the STUN spec had called the fields something different, but that's what you get from not wanting to reinvent protocols all the time.... Harald