The AuthSub mechanism enables you to write web applications that acquire authenticated access Google Data services, without having to write code that handles user credentials.
See http://code.google.com/apis/accounts/AuthForWebApps.html for more information about Google Data AuthSub authentication.
The Google documentation says the ClientLogin mechanism is appropriate for "installed applications" whereas the AuthSub mechanism is for "web applications." The difference is that AuthSub requires interaction from the user, and a browser interface that can react to redirection requests. The ClientLogin solution uses PHP code to supply the account credentials; the user is not required to enter her credentials interactively.
The account credentials supplied via the AuthSub mechanism are entered by the user of the web application. Therefore they must be account credentials that are known to that user.
Zend_Gdata currently does not support use of secure tokens,
because the AuthSub authentication does not support passing a digital certificate
to acquire a secure token.