On Oct 3, 2009, at 5:25 PM, beckett wrote: > >>> My understading is that I should be able to use PLAINTEXT without >>> compromising security as long as stick with HTTPS. Is my >>> understanding >>> right? > > Depends on what you mean by "compromising security". > > Say user wants to move data from Yahoo Contacts! to Plaxo. If you do > HTTPS on both links, it is true that an eavesdropper listening on > user's connection to Yahoo Contacts or users connection to Plaxo will > not be able to see anything.
Yes, with TLS, you get confidentiality (and request integrity). > > But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely > no idea if its REALLY PLAXO at the other end. How did the consumer get a token for the SP though? > It is trivial for any > site to get user to give up data. In which case you might as well not > use OAUTH and just make your data publicly available period. So I > would say that in any real situation, OAUTH-PLAINTEXT plus HTTPS > equals ZERO security. I think you get confidentiality and integrity from TLS, and you get request authorization from OAuth, because a token that you accept comes with the request. Assuming that the SP authenticated the consumer when it asked for a token, or if the SP authenticates the consumer in some other way, this all seems better than zero security. Regards, - johnk > > On Oct 2, 10:06 am, Eran Hammer-Lahav <[email protected]> wrote: >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf >>> Of prashant kulkarni >>> Sent: Friday, October 02, 2009 9:35 AM >>> To: OAuth >>> Subject: [oauth] Need for timestamp and nonce over HTTPS >> >>> I am looking at implementing OAuth Service Provider that only >>> supports >>> communicatiion using HTTPS. The OAuth specification allows me to use >>> PLAINTEXT signature method. I am thinking it should be good fit >>> for my >>> purposes. >> >>> I have 2 questions >> >>> (a) My understading is that I should be able to use PLAINTEXT >>> without >>> compromising security as long as stick with HTTPS. Is my >>> understanding >>> right? >> >> Yes (assuming HTTPS is done correctly). >> >>> (b) I do not see any use of nonce and timestamp since there is no >>> real >>> signing of request or real threat of Man in the middle or replay >>> attacks. Would I be compromising security if I do not keep track of >>> nonce and timestamp? >> >> No. They are completely useless with PLAINTEXT. >> >> EHL > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
