Dirk, I see now what you are getting at. Yes I guess the SP could use a signature to generate the verifier, so it would not need to persist it. As long as the signature secrete changes ever so often, I don't think an attacker could compromise this method. But to me the wording of that section still doesn't state how the SP can verify the verifier. Using the signature approach still does the same thing, makes sure the verifier matches.
It might be a good idea to suggest this signature approach in the spec as an implementation tip. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
