Hi everyone, In section 4.3 version 1.0 of the OAuth spec, it is stated that the protocol does not attempt to verify the authenticity of the server. Scanning the draft of 2.0 and searching the archives, I didn't see much mention of this.
Has there been any work to address this issue? I understand that using SSL for all requests may mitigate this risk, but with SSL certificates obtainable so easily and cheaply, it's hard to completely trust it as well. Thanks! -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
