On Thu, Jan 14, 2010 at 11:15 AM, Igor Faynberg <[email protected] > wrote:
> John Kemp wrote: > >> ... >> >> And I think there are such cases - rather vaguely I could say that the >> broad category would be anything for which a large volume of authorized >> requests is possible, and where the "value" in an individual request is low. >> That certainly does not include email, which I rather think _is_ deserving >> of confidentiality over insecure networks (of course, Gmail does allow you >> to turn off https if you are in a more secure network environment). >> >> ... >> > There definitely are such use cases. For instance, if I kept a photo album > on Flicker and asked Kodak to print it, I personally would not care if > others got access to this album by replaying (or just learned that I was > trying to print some pictures). But I envision that OAuth will be used in > much more serious cases, where the "value" will be high. The problem is that > allowing individuals users to judge the value, understand the risks, and > make their own decisions in specific cases is not a good idea. The protocol > must enforce it. > Are you saying that the protocol must enforce "strongest auth" in all cases? Or that the protocol must understand the security implications of the data and make appropriate decisions? (I'm assuming the former.) > > Igor > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
