On 1/15/10 2:02 PM, "John Kemp" <[email protected]> wrote:
> Why would someone bother to sit and capture bearer tokens - what is the value
> of doing that, and what is the actual risk? In some cases, probably not that
> great...
It would be great if the WRAP authors can share with us how their employers
plan to deploy their protocol. We have three major companies involved in
developing WRAP and they created a solution that can create severe security
risks. I am not aware of any APIs from MS, Y!, or Google that I would be
happy to use if they used bearer token without channel security.
> I think you've raised a valid issue, but I don't yet hear any consensus about
> this change, or whether the suggested text actually does what we want. I hope
> you'll consider that (and perhaps wait a bit longer to make such a change).
I agree, which is why I didn't want to paint this as a decided issue, just
that we might need more context to reach consensus and I need to put
something in the spec. My proposal is to be more restrictive and loosen it
later instead of the other way around.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
