On Jan 8, 2010, at 9:15 PM, Eran Hammer-Lahav wrote:
[...]
> Is there a *good* reason why the 1.0 specification should not mandate using
> a secure channel for PLAINTEXT?
I guess the question is whether you want implementations using other methods to
ensure confidentiality and which don't need other security properties (servers
on an intranet, for example, firewalled/VPN'd from the general Internet) to
become non-conforming?
> The only reason not to make the change is if there are existing deployed use
> cases where PLAINTEXT is used in such a way.
I would imagine that there are deployments of OAuth in environments where they
simply want to use PLAINTEXT for authorization, and have existing methods of
dealing with other security properties.
What is the actual reasoning behind this change? I don't understand why we
would suddenly now decide to make some whole class of implementations
non-conforming, even if there were only few deployments?
Regards,
- johnk
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
