On Thu, Jun 16, 2011 at 1:05 PM, Torsten Lodderstedt < [email protected]> wrote:
> ** > No, it's not simpler nor clearer. Such a client secret is useless, so the > security implications have to be explained anyway. > The issue really isn't the security implications being unclear; the issue is that the normative language that describes the protocol flows is ambiguous. Moreover, whatever the spec will state people would start to _rely_ on > client secrets even for native apps, which is a really bad idea. > OK, so you are arguing that baking the string "notasecret" into a client application makes that client application less secure. That's not really plausible.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
