On Wed, Jan 13, 2010 at 10:05 PM, Eran Hammer-Lahav <[email protected]>wrote:
> Authentication Open Question #3: Should require using TLS/SSL/secure > channel > for any request made without a signature? > > WRAP got a lot of attention (mostly negative) to how it sends requests > without using signatures or a secure channel. WRAP only uses HTTPS for > obtaining tokens but does not mandate (or even suggests) using HTTPS for > making protected resources requests. Instead, WRAP recommends short lived > tokens that must be refreshed (using HTTPS). > > In a recent thread [1] on this list we reach (very small) consensus that > the > OAuth 1.0 protocol should mandate HTTPS for the PLAINTEXT method. The > community edition only recommends it. > Actually, HTTPS or equivalent channel security was the consensus. > > QUESTIONS: Are there any valid (such that will pass IETF security review > scrutiny) reasons for allowing unsigned requests to be sent in the clear > over an insecure channel? Are there use cases for this (regardless of their > security properties)? There was also a discussion (initiated by Brian Eaton) regarding the combination of short lived token plus refresh, which should be dug up. > > EHL > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg00951.html > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
