Accidentally sent the following directly to Brian instead of the list. I'll try again ....
On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton <[email protected]> wrote: > Plaintext doesn't work in this context, because it sends long-lived > secrets in clear-text to servers that are under the control of the > application author, or, in the case of gadgets, everyone viewing the > gadget. That's not what I read. In the OpenSocial case the gadget does not hold the secret as that would be insecure in the manner you describe. The container holds the secret. The gadget only tells the container what signing method to use, not what secret to use. How the container manages to get the secret or keep track of which secret works with which provider is a mystery to me. There is not need to send the secret in the clear. OAuth 1.0a says that the PLAINTEXT method should be used only over a secure channel. Ethan _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
