Hannes Tschofenig <[email protected]> writes:
> I am sure that we can come up with many different protocols; the area of key
> agreement protocols isn't necessarily a new one.
>
> (What by the way is "H(R)" standing for?)
I'm pretty sure he means Hash of R. E.g. you send the SHA-1 Hash of R
as a commitment of R, and then later you send R. But see my previous
message, because this *requires* the AS be involved in EVERY request. I
don't think that's a reasonable architecture. Tokens should have a
validity period and the client should be free to continually use the
token without going back to the AS during that period. Otherwise the AS
becomes a single point of failure and a bottleneck.
-derek
--
Derek Atkins 617-623-3745
[email protected] www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
