On 4/28/09 10:40 AM, Peter Keane wrote: > But the consumer will still need to communicate back to the SP that it > has some unique knowledge that it could only have been offered at the > SP authentication point. Most proposals do this with the > "verification token" -- my reasoning leads me to believe that needs to > be passed "out-of-band." I'm not sure that moving the authentication > before request token necessarilly guarantees that.
It doens't need to be passed out of band. You only need to defend against it being intercepted by an attacker. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
