On 5/2/09 2:30 PM, John Kemp wrote: > But for 2009.1, I think it's right to stay with oauth_version=1.0, and > move on to fix the actual security issue.
Fine, it really doesn't matter what the oauth_version is, anyway. Can I see a show of hands - Can an SP safely allow any Consumer to use the current OAuth 1.0 (not referring to the revised 2009.1 draft) securely? [Yes or no?] In other words: If an SP allows an arbitrary Consumer to use the OAuth 1.0 flow as-is, then the security threat continues for that SP? If this is "yes" then all SP's that switch to 2009.1 _cannot_ allow the currently known insecure OAuth 1.0 flow, so "backwards compatibility" is a non-issue. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---