Monis, In my opinion, clock sync is out of scope of this spec. Most security protocols (PKI, Kerberos etc) have clock skew restriction but none specifies how to sync clock. Following sentence from the spec is superfluous,
"Server applying such restriction SHOULD provide a way for the client to sync its clock with the server's clock." The server here means the OAuth server but the common practice is to sync with a time server using NTP. Clock is less an issue for OAuth because both consumer and provider are usually servers. You can simply require NTP enabled for the servers running consumer application. If your consumer is a client running on user's machine, your key is already exposed. Why worry about replay :( Does your consumer application have access to the HTTP header? If so, you can simply use the Date header in the error response to sync the clock. We do something like this in a Kerberos client. The server sends a special error code if the clock skew exceeds the limit. The client simply syncs the clock to the server time in the HTTP header and try again. Zhihong --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
