On 5/1/09 3:06 PM, Eran Hammer-Lahav wrote: > They didn’t change the protocol version (as in ‘GET /something > HTTP/1.1’) because it added no value and would have just broke the web.
Explain how rev'ing HTTP to 1.2 would have "broke the web" ... ? And similarly, how does changing oauth_version to 1.1 "break" OAuth? Can you actually outline an actual scenario where this happens? I thought the whole point of the proposed change to OAuth is to _close a security hole_. That means, requests made to or from an implementation of the previous specification are INSECURE and SHOULD NOT COMPLETE, PERIOD. Or, have I learned a different definition of "security hole" than what the OAuth community uses? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
