>
> The subject does not want just **anybody** to verify his identity; he only
>> wants the **relying party** to be able to verify his identity.
>>
> If I understand correctly, a URL signed using OAuth can be accessed
> successfully only once, because of the oauth-nonce parameter. Or atleast, it
> is possible to implement such a restriction at the identity provider's end.
>

yup - that's the case.  the nonce prevents the call from being used twice,
and you can't delay verification (to an extent) because the timestamp on the
signature will fall out of bounds.

-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

Reply via email to