Large corporations like Google and Yahoo have more resources at their disposal, so it's all relative.
On May 2, 12:08 pm, Eran Hammer-Lahav <[email protected]> wrote: > No. I'm trying not to break areas of the spec that are unaffected by the > security hole, provide tools to close the hole, and do it in a way that > allows providers who choose to, to offer a migration path to their developers > that is not just shutting down their existing old-flow OAuth endpoints. > > When you consider the fact that the authorization flow is merely 3 endpoints > out of potentially tens or hundreds of API endpoints, the deployment impact > on the server is much greater on the API side than on the OAuth authorization > side. This might not be an issue to small providers where the entire API is > managed by a single server/codebase, but for large provider such as Yahoo! > and Google with a huge distributed deployment, this is a real impact. Add to > that OpenSocial which uses 2-legged, the size of secure and unbroken > deployment that a new wire version will break for no gain at all is > significant. > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of David Parry > > Sent: Friday, May 01, 2009 6:51 PM > > To: OAuth > > Subject: [oauth] Re: Version Preference > > > You're trying to maximize interoperability between the new and flawed > > spec. > > > ie. > > > SP 1.0 <-> Consumer 1.0a > > > SP 1.0a <-> Consumer 1.0 > > > On May 2, 11:22 am, Eran Hammer-Lahav <[email protected]> wrote: > > > I have no idea what point you are trying to make. Specifications are > > about interoperability (what else would it be about?). > > > > EHL > > > > > -----Original Message----- > > > > From: [email protected] [mailto:[email protected]] On > > Behalf > > > > Of David Parry > > > > Sent: Friday, May 01, 2009 5:57 PM > > > > To: OAuth > > > > Subject: [oauth] Re: Version Preference > > > > > Let's play devils advocate for a minute, considering the current > > > > exploit was in plain view for over a year before it was found. > > > > > Are you willing to bet OAuth's reputation (in sake of > > > > interoperability) that no flaws exist in this "trapdoor" switch ? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
