Am 19.04.2010 22:37, schrieb Brian Eaton:
On Mon, Apr 19, 2010 at 1:34 PM, Torsten Lodderstedt
<[email protected]> wrote:
Do you mean the thread "Signatures, Why?"
(http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy)?
I cannot remember that there was a consensus not to use signatures on
requests to the authorization server.
I can. =)
Can you please refer to the respective postings?
I wonder why a whole category of security measures is left out when
designing a security sensitive protocol like OAUTH.
Eran gave an example of an attack that could be prevented using
signatures, and there are others. Moreover, authenticating clients using
public keys was an option in OAuth 1.0a. Why isn't that an option any
longer?
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
