The point I'm trying to make is that this is an intractable problem; I don't know how to explain it in clearer terms than this: the issue is one of being able to read the user's mind and find out if they are who they say they are. The two-point solution I'm trying to push ensures that requests are as authentic as possible. *Any* solution will be heuristic because of the architecture on which OAuth works (a combination of HTTP, TCP/IP, and Homo Sapiens).
On Apr 24, 6:52 pm, Dossy Shiobara <[email protected]> wrote: > On 4/24/09 12:30 PM, Zachary Voase wrote: > > > But we've pretty much solved*that* issue with signed/pre-specified > > callbacks and the once-only rule for exchanging request tokens. > > Not solved, but minimized. That's what worries me. Are we collectively > happy with "secure enough" until someone implements a proof-of-concept > exploit that's released in the wild? > > Why does it have to come to that before we really do the right thing? > > -- > Dossy Shiobara | [email protected] |http://dossy.org/ > Panoptic Computer Network |http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
