On Thu, Apr 30, 2009 at 5:28 PM, Josh Roesslein <jroessl...@gmail.com>wrote:
> Dirk, > > I see now what you are getting at. Yes I guess the SP could use a signature > to generate the verifier, so it would not need to persist it. > As long as the signature secrete changes ever so often, I don't think an > attacker could compromise this method. But to me the wording of that section > still > doesn't state how the SP can verify the verifier. Well, the wording as it is now mentions two verification codes, and says that the SP MUST make sure that they are "identical". That looks like a prescription for implementation to me. And not an implementation that I would choose :-) Dirk. > Using the signature approach still does the same thing, makes sure the > verifier matches. > > It might be a good idea to suggest this signature approach in the spec as > an implementation tip. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
