On Apr 18, 2013, at 8:25 PM, Stephen J. Turnbull <[email protected]> wrote:
> Richard Wackerbarth writes: > >> Since we consider the user manager to be a part of the MM complex, >> what have we gained by hiding the underlying credential from the >> web interface? > > Security. See the OAuth 2.0 spec (RFC 6749) which recommends (at > SHOULD level) this practice. RFC 6749 addresses the implementation of an OAuth authorization system. In this context, SHOULD refers to the implementation of this RFC. It does not imply that other authorization schemes also need to meet those same criteria. As for security, exposing the authorization server to direct Internet access is, in itself, a security weak point. _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
