John Levine writes:
After digging through a festival of acronyms, I ended up at RFC 6616.
Thank you!
There are certainly OpenID libraries, but I don't know to what extent anyone has written the code to splice them into SASL.
Were we (on dmarc@ietf) talking all along about OpenID when we wrote "OAuth"? They're different, although I don't know exactly how or why (and neither RFC made obvious mention of the other :-( ).
I'm not sure who you know among the authors of that RFC, but I've worked with Simon Josefsson, who would surely help if he has time, and has done a lot of implementation. (I suspect Barry knows him too.) Given that Simon is on the side of SASL/OpenID vs. OAuth, I suspect that OpenID is the more practical of the two standards.
I would propose doing the submission hack, explicitly noting that SASL has a variety of different ways to authenticate with different usability and security trade offs.
I think that's a good starting point for discussion. With a little luck it could be quite close to eventual implementation, too. :-)
Steve