On Thu, Apr 30, 2009 at 8:08 PM, Mike Malone <mjmal...@gmail.com> wrote: > On Thu, Apr 30, 2009 at 10:57 AM, Blaine Cook <rom...@gmail.com> wrote: >> >> On Thu, Apr 30, 2009 at 6:54 PM, Mike Malone <mjmal...@gmail.com> wrote: >> > >> > This would break the web flow for 1.0 (non Rev. A) consumers. >> >> I think that's the desired behaviour, though? So long as service >> providers continue to support 1.0 non Rev. A consumers, the >> vulnerability persists. >> >> b. > > I don't know, is it? I was under the impression that the rev was designed to > preserve backwards compatibility and leave the decision up to SPs.
hmm I would prefer simple upgrade with minimal disruption rather than backward compatibility (i.e. if we want to fix the problem i think that the web flow will need to be broken for those OAuth 1.0 cosumers expecting the callback parameter to work as before...) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---