On Tue, Jun 7, 2011 at 4:24 PM, Adam Barth <[email protected]> wrote: > I'm not sure that's appropriate for this mechanism. What problem does > channel binding solve?
CB is not appropriate for OAuth today, no, because OAuth doesn't give you mutual authentication, which means channel binding can't be done either (well, not with any security guarantees). You missed my point however: I don't really want to see a specific purpose MAC here because I do believe it's generalizable, and if we don't generalize it now we'll just have more special casing in code later. For a general MAC I'd want an option for CB (when TLS is used, of course). Nico -- _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
