hi david, from what i gather it is stating not that you MUST use plaintext over HTTPS but that if you are using plaintext then you should ONLY do so over HTTPS.
>> and PLAINTEXT only for secure (HTTPS) requests. i agree that it isn't entirely clear in the documentation, but that's what i *think* it means, perhaps someone could confirm this? i am considering using https for this also so am also eager to find out for certain. rob ganly On Sat, Jan 30, 2010 at 2:26 PM, David King <da...@1daylater.com> wrote: > Currently I'm using HMAC-SHA1 over HTTP and have been considering > adding in SSL to my app, but am slightly confused as to what is more > appropriate. Obviously I'll be losing a *lot* of speed with SSL, and > from reading the specification I'm unclear whether it's actually > necessary. For example: > > http://oauth.net/core/1.0a/#rfc.section.A.1 > > Seems to state that when using HTTPS I must use PLAINTEXT for my > signatures - can someone help me understand whether one is more secure > than the other, and if possible a recommendation of what to go for. I > take a lot of cues from Twitter (who are using HMAC-SHA1 and HTTP) > cause I'd like to imagine their herds of boffins have thought of most > scenarios... > > What do you think? > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oa...@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com <oauth%2bunsubscr...@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.