> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of prashant kulkarni
> Sent: Friday, October 02, 2009 9:35 AM
> To: OAuth
> Subject: [oauth] Need for timestamp and nonce over HTTPS
>
>
> I am looking at implementing OAuth Service Provider that only supports
> communicatiion using HTTPS. The OAuth specification allows me to use
> PLAINTEXT signature method. I am thinking it should be good fit for my
> purposes.
>
> I have 2 questions
>
> (a) My understading is that I should be able to use PLAINTEXT without
> compromising security as long as stick with HTTPS. Is my understanding
> right?
Yes (assuming HTTPS is done correctly).
> (b) I do not see any use of nonce and timestamp since there is no real
> signing of request or real threat of Man in the middle or replay
> attacks. Would I be compromising security if I do not keep track of
> nonce and timestamp?
No. They are completely useless with PLAINTEXT.
EHL
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
