I agree. Authorization servers should issue credentials (tokens) with clear semantics. If a token is to be used with a signature, its properties should reflect it. If a server doesn't require signatures, why waste storage and bandwidth with secrets.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Brian Eaton > Sent: Thursday, March 25, 2010 8:50 PM > To: Ethan Jewett > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Thinking about our secrets for signatures > > On Thu, Mar 25, 2010 at 7:54 PM, Ethan Jewett <[email protected]> > wrote: > > Possibly this is a silly question, but why not #2 and have the bearer > > token method (over SSL of course) include the token secret? The > > provider would always issue a token and a token secret. If the client > > is not interested in signing methods, it can discard the token and > > keep the token secret. This secret is never sent in the clear using a > > signing method. I believe that this is the approach taken in OAuth > > 1.0a and it seems like it should address this concern. > > Well thought-out bearer tokens and well thought-out proof of possession > tokens rarely look the same. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
