This is what I am proposing by allowing application consumers (AC) to register at the OP and upload their public key there. Now they have a consumer key in the form of an openid and a secret they can share (using AX). No need to have those tokens and out-of-band messages for arranging the AC/SP key/secret exchange. This is highly discoverable and scalable. If you use the user openid as the oauth_token, now you can even authenticate the user as well as the consumer. Pat.
On Jan 13, 2009, at 3:09 PM, John Kristian wrote: > > I imagine a service provider might want to revoke a consumer secret. > You might specify how the service provider can signal that it has done > so, to enable the consumer to automatically get a fresh consumer > secret. You might extend http://oauth.pbwiki.com/ProblemReporting for > the purpose. > > You might recommend that consumers limit the useful lifetime of a > confirmation token. It seems like a good idea to invalidate a token > after a single use and/or a fairly short time interval. > > When validating a confirmation token, it seems like a good idea to use > HTTPS and to require that the consumer (HTTPS server) present a > certificate issued by a trusted authority and matching the HTTPS > server's host name. (Browsers often require this.) > > An entirely different protocol occurs to me. When requesting a > consumer secret, the consumer could sign the request with its > certificate. That is, the request contains a certificate, issued by a > trusted authority, that matches the consumer key (that is the > consumer's root URL). And the request is signed with the private key > associated with that certificate. The service provider validates the > certificate and uses the certificate's public key to validate the > signature. If all is valid, it returns the desired consumer secret. > The consumer would not send a confirmation token, and the service > provider would not validate a confirmation token. > > Perhaps this won't work for OpenMicroBlogging. Perhaps it's a bad > idea in general. :-) > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
