On Fri, May 1, 2009 at 1:44 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > > I'll add that those of you worried about confusion and complexity, > keep in mind that today approved applications work without any > problem. Changing the oauth_version will break it.
To be clear about how this could break something, I'll go through how to upgrade the version number: First phase: - Providers start accepting either 1.0 or 1.1 for the parts of the protocol that haven't actually changed. - Providers start accepting 1.1 for the new authentication flow. Second phase: - Consumers start using the new 1.1 authentication flow where needed to fix the security issue. - Some Consumers might also bump up the version on flows where nothing actually changed, but it's optional and there's little reason to do it. Third phase: - Once enough consumers have switched, providers drop support for the insecure part of 1.0. So at this point, new Providers should accept 1.1 and the non-broken parts of 1.0 (call that 1.0-stripped). Consumers are free to use 1.1, or 1.0-stripped. If you don't actually need 1.1, using 1.0-stripped will have better backwards compatibility so long as there are still Providers out there that only support 1.0, which means upgrades will be slow. If enough Consumers bump to 1.1 (even though it's not needed), Providers could also stop accepting 1.0-stripped, but there's very little reason to do so. That's the best case assuming everyone does the right thing. If Providers decide not to bother with 1.0-stripped then things break more. So it seems that by not incrementing the version, you avoid the whole issue of supporting 1.0-stripped, because that's just a subset of the current version. (I'm not sure why we bother putting version numbers in protocols. Putting the protocol's name on the wire seems quite sufficient, since you can use a different name if there's a reason.) - Brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---