Derek Atkins <[email protected]> 写于 2012-09-10 21:23:12: > Hannes Tschofenig <[email protected]> writes: > > > I am sure that we can come up with many different protocols; the > area of key agreement protocols isn't necessarily a new one. > > > > (What by the way is "H(R)" standing for?) > > I'm pretty sure he means Hash of R. E.g. you send the SHA-1 Hash of R > as a commitment of R, and then later you send R. But see my previous > message, because this *requires* the AS be involved in EVERY request. I > don't think that's a reasonable architecture. Tokens should have a > validity period and the client should be free to continually use the > token without going back to the AS during that period. Otherwise the AS > becomes a single point of failure and a bottleneck.
Concerning access token is time limited from a few minutes to 1 hour, and R is transported in TLS, it is not necessarily used only once. > > -derek > > -- > Derek Atkins 617-623-3745 > [email protected] www.ihtfp.com > Computer and Internet Security Consultant >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
