OAuth has two parts: getting an Access Token and using the Access Token. Getting an Access Token is broken but using is not. No need to break both and changing the wire version will do that. Breaking perfectly secure implementations just to make you *feel* more secure is silly.
EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Dossy Shiobara > Sent: Saturday, May 02, 2009 10:16 AM > To: oauth@googlegroups.com > Subject: [oauth] Re: This whole version business > > > On 5/1/09 2:29 PM, Eran Hammer-Lahav wrote: > > There is a difference between what you name the specification and > the > > string value you put on the wire. My point is that there is no > reason > > to change what is transmitted on the wire. I also made the point > that > > not changing the wire string but changing the document version will > be > > more confusing. Changing both just because it helps with > communication > > with*people* makes no sense. Protocols are for*machines* and > those > > do not need a new version number. > > Considering that the changes being made to the OAuth specification MUST > break backwards compatibility -- as implementations of the current > unfixed specification are KNOWN to be insecure -- makes perfect > _technical_ sense to rev the version number on the wire to signify > this. > > Continuing to use the current, known insecure, specification is > negligent at best and nefarious at worst. > > > -- > Dossy Shiobara | do...@panoptic.com | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
