John Kemp wrote:
...
And I think there are such cases - rather vaguely I could say that the broad category
would be anything for which a large volume of authorized requests is possible, and where
the "value" in an individual request is low. That certainly does not include
email, which I rather think _is_ deserving of confidentiality over insecure networks (of
course, Gmail does allow you to turn off https if you are in a more secure network
environment).
...
There definitely are such use cases. For instance, if I kept a photo
album on Flicker and asked Kodak to print it, I personally would not
care if others got access to this album by replaying (or just learned
that I was trying to print some pictures). But I envision that OAuth
will be used in much more serious cases, where the "value" will be high.
The problem is that allowing individuals users to judge the value,
understand the risks, and make their own decisions in specific cases is
not a good idea. The protocol must enforce it.
Igor
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
