On 4/29/09 10:05 AM, Blaine Cook wrote: > In the case of applications that are distributed to end users, this > becomes a DRM problem and not one we can solve without user education > and due signaling and out-of-band trust metrics on the service > provider's side.
All it takes to solve this is to change the spec. to require the user authenticate with the SP to generate an "identity nonce" which the consumer uses to begin the OAuth flow to authorize itself with SP on behalf of the user. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---