>> Seth, I actually think that enforcing nonces should make this attack >> impossible for guessing OAuth signatures (assuming you enforce nonces >> for malformed requests). If you can only get a good/bad response once >> then you're out of luck. > > I was thinking that the attacker would be attempting to guess consumer > and token keys and secrets, not signatures. With that approach, you > can continue generating valid requests using different keys and > secrets ad infinitum. Thus, checking nonces and timestamps is > irrelevant.
Never mind. I'm wrong. We're talking about signature comparisons here, not keys. seth --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
