Yes, I agree, the wording could be rephrased to indicate that the Consumer's credentials (the consumer secret) as well as the user credentials Access Token (and access token secret) are not protected when using PLAINTEXT without HTTPS.
Allen beckett wrote: > > Also, I wonder if in the security consideration in the PLAINTEXT part > of the spec, where it says "User", one means "Consumer". > > "When used with PLAINTEXT signatures, the OAuth protocol makes no > attempts to protect User credentials from eavesdroppers or man-in-the- > middle attacks. The PLAINTEXT signature algorithm is only intended to > be used in conjunction with a transport-layer security mechanism such > as TLS or SSL which does provide such protection. If transport-layer > protection is unavailable, the PLAINTEXT signature method should not > be used." > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
