I imagine a service provider might want to revoke a consumer secret. You might specify how the service provider can signal that it has done so, to enable the consumer to automatically get a fresh consumer secret. You might extend http://oauth.pbwiki.com/ProblemReporting for the purpose.
You might recommend that consumers limit the useful lifetime of a confirmation token. It seems like a good idea to invalidate a token after a single use and/or a fairly short time interval. When validating a confirmation token, it seems like a good idea to use HTTPS and to require that the consumer (HTTPS server) present a certificate issued by a trusted authority and matching the HTTPS server's host name. (Browsers often require this.) An entirely different protocol occurs to me. When requesting a consumer secret, the consumer could sign the request with its certificate. That is, the request contains a certificate, issued by a trusted authority, that matches the consumer key (that is the consumer's root URL). And the request is signed with the private key associated with that certificate. The service provider validates the certificate and uses the certificate's public key to validate the signature. If all is valid, it returns the desired consumer secret. The consumer would not send a confirmation token, and the service provider would not validate a confirmation token. Perhaps this won't work for OpenMicroBlogging. Perhaps it's a bad idea in general. :-) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---