No. I'm trying not to break areas of the spec that are unaffected by the security hole, provide tools to close the hole, and do it in a way that allows providers who choose to, to offer a migration path to their developers that is not just shutting down their existing old-flow OAuth endpoints.
When you consider the fact that the authorization flow is merely 3 endpoints out of potentially tens or hundreds of API endpoints, the deployment impact on the server is much greater on the API side than on the OAuth authorization side. This might not be an issue to small providers where the entire API is managed by a single server/codebase, but for large provider such as Yahoo! and Google with a huge distributed deployment, this is a real impact. Add to that OpenSocial which uses 2-legged, the size of secure and unbroken deployment that a new wire version will break for no gain at all is significant. EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of David Parry > Sent: Friday, May 01, 2009 6:51 PM > To: OAuth > Subject: [oauth] Re: Version Preference > > > You're trying to maximize interoperability between the new and flawed > spec. > > ie. > > SP 1.0 <-> Consumer 1.0a > > SP 1.0a <-> Consumer 1.0 > > On May 2, 11:22 am, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > > I have no idea what point you are trying to make. Specifications are > about interoperability (what else would it be about?). > > > > EHL > > > > > > > > > -----Original Message----- > > > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On > Behalf > > > Of David Parry > > > Sent: Friday, May 01, 2009 5:57 PM > > > To: OAuth > > > Subject: [oauth] Re: Version Preference > > > > > Let's play devils advocate for a minute, considering the current > > > exploit was in plain view for over a year before it was found. > > > > > Are you willing to bet OAuth's reputation (in sake of > > > interoperability) that no flaws exist in this "trapdoor" switch ? > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
