Do you mean why the callback itself isn't signed? Or the parameter? EHL
> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Josh Fraser > Sent: Thursday, April 23, 2009 11:15 PM > To: OAuth > Subject: [oauth] What's the back story on why the callback wasn't > included in the signature? > > > It seems like a lot of the vulnerability concerns (at least from B-C) > can be addressed by simply adding the callback to the signature. Is > there a reason this wasn't included in the spec to begin with? I want > to make sure I'm not missing something. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
