On Jan 14, 2010, at 1:05 AM, Eran Hammer-Lahav wrote: [...] > > QUESTIONS: Are there any valid (such that will pass IETF security review > scrutiny) reasons for allowing unsigned requests to be sent in the clear > over an insecure channel? Are there use cases for this (regardless of their > security properties)?
I am still wavering on this. I think that using a bearer token with short lifetime and one-time use semantics (for example) is probably sufficient security for many use-cases. And using TLS/SSL (or even just signing and verifying a signed request) in all cases may provide too much performance overhead for some of those cases. In other words, I think that it's not only channel security we need to consider, but a combination of other measures that would, in some cases, obviate the need for TLS. Regards, - johnk _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
