no I'm saying people will use real secrets and rely on them - just as
with OAuth 1.0
Am 16.06.2011 22:20, schrieb Brian Eaton:
On Thu, Jun 16, 2011 at 1:05 PM, Torsten Lodderstedt
<[email protected] <mailto:[email protected]>> wrote:
No, it's not simpler nor clearer. Such a client secret is useless,
so the security implications have to be explained anyway.
The issue really isn't the security implications being unclear; the
issue is that the normative language that describes the protocol flows
is ambiguous.
Moreover, whatever the spec will state people would start to
_rely_ on client secrets even for native apps, which is a really
bad idea.
OK, so you are arguing that baking the string "notasecret" into a
client application makes that client application less secure. That's
not really plausible.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
