I no longer think there is a valid reason why the OAuth 1.0 specification does not mandate using a secure channel with PLAINTEXT, and I would like to make this change from SHOULD to MUST in the RFC draft [1].
Is there anyone using OAuth PLAINTEXT *not* over TLS/SSL? Is there a *good* reason why the 1.0 specification should not mandate using a secure channel for PLAINTEXT? If someone really wants to use it without, it's a free country but I can't think of any reason. The only reason not to make the change is if there are existing deployed use cases where PLAINTEXT is used in such a way. If there are none after two years, we should not allow it moving forward. EHL [1] http://tools.ietf.org/html/draft-hammer-oauth
-- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
