In practice, I imagine most SPs will do the following: roll out compatible support for 1.0 and 1.0 Rev A, and provide extra warning messages on the consent page for 1.0 consumers. To do it any other way would break all existing implementations. Then SPs will encourage their Consumers to move to 1.0 Rev A (and Consumers will be naturally inclined to do this as a way to get rid of the scary warning message). Then at some point in the future, SPs may stop supporting 1.0 entirely.
Thanks, js On Sat, May 2, 2009 at 1:19 PM, Josh Roesslein <jroessl...@gmail.com> wrote: > No, 3 legged consumers can't use the old spec safely, but 2 legged > consumers are not affected so they don't need to upgrade for changes that > they don't > even use. This is what we mean by backward compatiblity. We still want to > support 2 legged consumers who are using the same code. If we incremented > the version, they > would have to update the code just to change a version number for what? > There is no gain in doing an increment of the wire version. > > > On Sat, May 2, 2009 at 2:28 PM, Dossy Shiobara <do...@panoptic.com> wrote: > >> >> On 5/2/09 2:30 PM, John Kemp wrote: >> > But for 2009.1, I think it's right to stay with oauth_version=1.0, and >> > move on to fix the actual security issue. >> >> Fine, it really doesn't matter what the oauth_version is, anyway. >> >> Can I see a show of hands - Can an SP safely allow any Consumer to use >> the current OAuth 1.0 (not referring to the revised 2009.1 draft) >> securely? [Yes or no?] >> >> In other words: If an SP allows an arbitrary Consumer to use the OAuth >> 1.0 flow as-is, then the security threat continues for that SP? >> >> If this is "yes" then all SP's that switch to 2009.1 _cannot_ allow the >> currently known insecure OAuth 1.0 flow, so "backwards compatibility" is >> a non-issue. >> >> -- >> Dossy Shiobara | do...@panoptic.com | http://dossy.org/ >> Panoptic Computer Network | http://panoptic.com/ >> "He realized the fastest way to change is to laugh at your own >> folly -- then you can let go and quickly move on." (p. 70) >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
