On 4/28/09 1:40 PM, Brian Eaton wrote: > It's fine to limit the number of unsuccessful exchange attempts, but a > limit of one is too low. Five attempts is more reasonable. > > Limiting the number of successful exchange attempts to one makes sense.
This makes sense. Perhaps the spec should be organized in this way: ---- The SP MUST invalidate the request token after a successful exchange attempt. The SP MUST invalidate the request token after a certain number of unsuccessful exchange attempts. The number is RECOMMENDED to be between 1 and 5, as appropriate. ---- I don't see why a SP should be prohibited from expiring a token after one unsuccessful exchange attempt. IMHO, the number should be chosen based on the SP's desired security level. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---