On 4/24/09 1:18 PM, Zachary Voase wrote: > The point I'm trying to make is that this is an intractable problem; I > don't know how to explain it in clearer terms than this: the issue is > one of being able to read the user's mind and find out if they are who > they say they are. The two-point solution I'm trying to push ensures > that requests are as authentic as possible.*Any* solution will be > heuristic because of the architecture on which OAuth works (a > combination of HTTP, TCP/IP, and Homo Sapiens).
It's not an intractable problem. There's no mind-reading required, just a design that isn't flawed by design. I have yet to see anyone explain why my proposal of authenticating with the SP _first_ before starting the authorization flow with OAuth does NOT eliminate this risk _completely_. Someone please shoot a hole in the idea if it's at all possible. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
