On 4/24/09 12:30 PM, Zachary Voase wrote: > But we've pretty much solved*that* issue with signed/pre-specified > callbacks and the once-only rule for exchanging request tokens.
Not solved, but minimized. That's what worries me. Are we collectively happy with "secure enough" until someone implements a proof-of-concept exploit that's released in the wild? Why does it have to come to that before we really do the right thing? -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
