On 5/2/09 1:40 PM, Eran Hammer-Lahav wrote: > OAuth has two parts: getting an Access Token and using the Access > Token. Getting an Access Token is broken but using is not. No need to > break both and changing the wire version will do that. Breaking > perfectly secure implementations just to make you*feel* more secure > is silly.
Sorry, I didn't realize that there were separate specifications for each. In my mind, the two go hand-in-hand - if you can't get a token securely, you can't use them securely either. In other words: if any attacker can get an access token, then "using them securely" has no meaning. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---