On Thu, Apr 30, 2009 at 10:57 AM, Blaine Cook <[email protected]> wrote:
> > On Thu, Apr 30, 2009 at 6:54 PM, Mike Malone <[email protected]> wrote: > > > > This would break the web flow for 1.0 (non Rev. A) consumers. > > I think that's the desired behaviour, though? So long as service > providers continue to support 1.0 non Rev. A consumers, the > vulnerability persists. > > b. > I don't know, is it? I was under the impression that the rev was designed to preserve backwards compatibility and leave the decision up to SPs. FWIW, I think you're right about making the callback decision when consumer keys are provisioned. It's not something the spec can really enforce, but since it's done on the SP side I think it's safe to assume the implementers will be competent enough to read and understand the security implications. Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
