Not to get off topic here, but it might actually be a good idea to devalidate any access tokens when the SP changes to the new spec. The reason for this is the make sure attackers that might have used the session fixation attack prior to the fix no longer have a valid token. Sure the user will have to do a quick oauth re-authorization, but the security benefit is worth it. This is up to the SP to decide, but just a good tip.
On Sat, May 2, 2009 at 1:56 AM, Luca Mearelli <luca.meare...@gmail.com>wrote: > > On Fri, May 1, 2009 at 10:15 PM, Luca Mearelli <luca.meare...@gmail.com> > wrote: > > On Fri, May 1, 2009 at 10:25 AM, Blaine Cook <rom...@gmail.com> wrote: > >> 1. "1.0 Rev A" with no version string change (i.e., oauth_version=1.0) > > > > +1 for this > > Let me put a few words behind this: I see no reason for changing the > value of the parameter transmitted over the wire ( oauth_version ) > since changing it doesn't do any good to the task here that is fixing > the spec security but instead it will rather do harm to the already > deployed (and working) code. Let's not forget that the currently > issued and authorized access tokens would stop to work for no reason > and require reissue if that value is changed. > > Some of the discussion around the version are related to the possible > confusion of having a different version in the spec "name" and in the > wire parameter, to this extent any change to the name that makes it > easy to communicate that we are referring to a revised protocol would > be good and minimizes the possible confusion, hence the preference for > calling it "1.0 Rev A". > > Moreover I'd see as a good thing to clarify that the role of the > oauth_version parameter as NOT being the spec version but the protocol > signature version (I mean the way to indicate how to build the > signature base string & co) > > Luca > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
