Can you apply this (without too much detail) to both WRAP and OAuth 1.0a? I think it would be useful to see how each comply with these goals (which look pretty important to me).
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Brian Eaton > Sent: Thursday, February 18, 2010 12:36 PM > To: [email protected] > Subject: [OAUTH-WG] operational security > > On the call people wanted me to clarify what I meant when I talked about > operational security. In a nutshell, I mean: > > - what systems and what people have access to long-lived secrets? > Keep this to a reasonable level, where reasonable is defined by different > use cases. > > - what systems and what people have access to shorter-lived secrets? > Repeat above caveat about reasonable protection. > > - how are those secrets protected? > Repeat above caveat about reasonable protection. > > - deal with practical considerations of systems that people really build. > Issues like latency, scalability, functionality, and complexity impact all > of the > above. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
