On Apr 24, 12:18 pm, Zachary Voase <[email protected]> wrote:
> The point I'm trying to make is that this is an intractable problem; I
> don't know how to explain it in clearer terms than this: the issue is
> one of being able to read the user's mind and find out if they are who
> they say they are. The two-point solution I'm trying to push ensures
Yes! Authentication is (very) hard ;-).
> that requests are as authentic as possible. *Any* solution will be
> heuristic because of the architecture on which OAuth works (a
> combination of HTTP, TCP/IP, and Homo Sapiens).
>
> On Apr 24, 6:52 pm, Dossy Shiobara <[email protected]> wrote:
>
> > On 4/24/09 12:30 PM, Zachary Voase wrote:
>
> > > But we've pretty much solved*that* issue with signed/pre-specified
> > > callbacks and the once-only rule for exchanging request tokens.
>
> > Not solved, but minimized. That's what worries me. Are we collectively
> > happy with "secure enough" until someone implements a proof-of-concept
> > exploit that's released in the wild?
>
> > Why does it have to come to that before we really do the right thing?
>
> > --
> > Dossy Shiobara | [email protected] |http://dossy.org/
> > Panoptic Computer Network |http://panoptic.com/
> > "He realized the fastest way to change is to laugh at your own
> > folly -- then you can let go and quickly move on." (p. 70)
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
