Authentication Open Question #3: Should require using TLS/SSL/secure channel for any request made without a signature?
WRAP got a lot of attention (mostly negative) to how it sends requests without using signatures or a secure channel. WRAP only uses HTTPS for obtaining tokens but does not mandate (or even suggests) using HTTPS for making protected resources requests. Instead, WRAP recommends short lived tokens that must be refreshed (using HTTPS). In a recent thread [1] on this list we reach (very small) consensus that the OAuth 1.0 protocol should mandate HTTPS for the PLAINTEXT method. The community edition only recommends it. QUESTIONS: Are there any valid (such that will pass IETF security review scrutiny) reasons for allowing unsigned requests to be sent in the clear over an insecure channel? Are there use cases for this (regardless of their security properties)? EHL [1] http://www.ietf.org/mail-archive/web/oauth/current/msg00951.html _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
