Before we go off into another discussion of versioning, I'd just like to reiterate what I and a couple of others mentioned yesterday: OAuth Core 1.0 does not currently assign any semantics AT ALL to oauth_version.
It doesn't say that it is linked either to getting an access token OR using an access token OR anything else for that matter. I don't think it is productive to continue to argue about this when clearly it is possible to determine that the new flow is being used by looking for oauth_callback in the initial request. I do think it might be worth arguing that we should -- in a future version of the spec. -- define appropriate usage of oauth_version and link it to _something_ about the specification. We should have the dreaded "versioning discussion" -- one day. I do have sympathy for those who wish to increment the oauth_version. But for 2009.1, I think it's right to stay with oauth_version=1.0, and move on to fix the actual security issue. Regards, - johnk On May 2, 2009, at 1:44 PM, Dossy Shiobara wrote: > > On 5/2/09 1:40 PM, Eran Hammer-Lahav wrote: >> OAuth has two parts: getting an Access Token and using the Access >> Token. Getting an Access Token is broken but using is not. No need >> to >> break both and changing the wire version will do that. Breaking >> perfectly secure implementations just to make you*feel* more secure >> is silly. > > Sorry, I didn't realize that there were separate specifications for > each. In my mind, the two go hand-in-hand - if you can't get a token > securely, you can't use them securely either. In other words: if any > attacker can get an access token, then "using them securely" has no > meaning. > > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
