No, 3 legged consumers can't use the old spec safely, but 2 legged consumers are not affected so they don't need to upgrade for changes that they don't even use. This is what we mean by backward compatiblity. We still want to support 2 legged consumers who are using the same code. If we incremented the version, they would have to update the code just to change a version number for what? There is no gain in doing an increment of the wire version.
On Sat, May 2, 2009 at 2:28 PM, Dossy Shiobara <do...@panoptic.com> wrote: > > On 5/2/09 2:30 PM, John Kemp wrote: > > But for 2009.1, I think it's right to stay with oauth_version=1.0, and > > move on to fix the actual security issue. > > Fine, it really doesn't matter what the oauth_version is, anyway. > > Can I see a show of hands - Can an SP safely allow any Consumer to use > the current OAuth 1.0 (not referring to the revised 2009.1 draft) > securely? [Yes or no?] > > In other words: If an SP allows an arbitrary Consumer to use the OAuth > 1.0 flow as-is, then the security threat continues for that SP? > > If this is "yes" then all SP's that switch to 2009.1 _cannot_ allow the > currently known insecure OAuth 1.0 flow, so "backwards compatibility" is > a non-issue. > > -- > Dossy Shiobara | do...@panoptic.com | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
