We have thought about it and decided it was a bad idea, because: 1. If the consumer uses RSA keys, then the provider cannot sign using them.
2. If the consumer uses HMAC keys, then the provider would be signing using the same key. It is generally consider a bad idea in cryptographic protocols to have two different parties use the same key for the same purpose (e.g., sign). It allows for a class of attacks called reflection attacks. On Thu, Apr 23, 2009 at 9:25 AM, Shan <[email protected]> wrote: > What if the callback URL is signed on the provider's end using the > consumer's secret key? The drawback is it puts the burden on the > consumer to close the security hole by checking the signature, and as > such the provider has no way of knowing if an application is secure or > not. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
