One way is for the device to use a signing proxy on a server. Another is for you to use very short lived credentials and not require signatures - there will still be a replay attack possible but the window of the attack will be much smaller. Yahoo!'s BBAuth protocol works this way. But at this point this will no longer be OAuth but some other protocol.
EHL On 6/17/09 3:50 AM, "Monis" <[email protected]> wrote: > > > Section 7 of OAuth Core directs us to 'sign' the requests even after > we have received a granted access token. > This signing ensures security with each request made to the SP. > > We have a case for implementing OAuth Consumers on mobile devices and > the signing of each request to access protected resources could be > costly, considering the sparse resources on the device. > > Can there be a way around this to not sign request every time and once > we have an authorized access token, send it as is for future retrieval > of protected resources? > We understand that replay attacks are possible if we don't follow the > unique nonce and timestamp constraints (Section 8) but we don't want > the replay attacks either :) > > We also looked at OAuth Session extension, but again each request has > to be signed in order to fetch protected content. > > Thanks, > Monis Iqbal > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
