On Apr 28, 2013, at 2:15 AM, Stephen J. Turnbull <step...@xemacs.org> wrote:
> Xu Wang writes: >> The problem is how do you "confirm ownership of the subscribed address" >> when a request coming with an access token. > > You don't. That was done when the OAuth ID was linked to the address, > using the usual 3-step handshake (submit the association, receive an > email containing a secret, confirm ownership by replying with the secret). In many installations, the linking may not require the email handshake. An installation may choose to "trust" that the third party issuing the access credential has already performed sufficient vetting of the association. I'm thinking of things like BrowserID credentials or Google/Twitter/Facebook issued credentials. However, that is a local "policy" whose decision involves a tradeoff between the level of assurance and the ease in establishing the association. _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9