Breno de Medeiros wrote: > > At this point, there is no reasonably secure formulation of OAuth > without key registration. > > We hope to add one for the hybrid protocol. >
If that is true then OAuth is broken. Wouldn't it be better to fix this problem in OAuth itself rather than only in the hybrid protocol? Mobile and desktop apps need to be able to use OAuth as well, and since consumer secrets are impractical for such apps there has to be a way to use OAuth without consumer secrets in order to support them. The hybrid protocol is not appropriate for desktop/mobile apps, so fixing it at this level does not address the problem. Cheers, Martin _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
