On May 28, 2010, at 9:21 AM, William Mills wrote: > I thought one of the fundamental ugly problems is that the client > doesn't actually know the full URL authoritatively in all frameworks, > because variables get appended to the query string in an unknown order > in some cases?
If the client doesn't know exactly what it is sending, then it isn't a secure client and any signature it might provide is bogus, by definition. Why do you bother to consider such a case? Let the clients fix their own technology. ....Roy _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
