On Fri, May 1, 2009 at 10:15 PM, Luca Mearelli <[email protected]> wrote: > On Fri, May 1, 2009 at 10:25 AM, Blaine Cook <[email protected]> wrote: >> 1. "1.0 Rev A" with no version string change (i.e., oauth_version=1.0) > > +1 for this
Let me put a few words behind this: I see no reason for changing the value of the parameter transmitted over the wire ( oauth_version ) since changing it doesn't do any good to the task here that is fixing the spec security but instead it will rather do harm to the already deployed (and working) code. Let's not forget that the currently issued and authorized access tokens would stop to work for no reason and require reissue if that value is changed. Some of the discussion around the version are related to the possible confusion of having a different version in the spec "name" and in the wire parameter, to this extent any change to the name that makes it easy to communicate that we are referring to a revised protocol would be good and minimizes the possible confusion, hence the preference for calling it "1.0 Rev A". Moreover I'd see as a good thing to clarify that the role of the oauth_version parameter as NOT being the spec version but the protocol signature version (I mean the way to indicate how to build the signature base string & co) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
