Yes, that's what it means. Hopefully any https latency is minimal, at least for apis where you don't have to drag every subsidiary resource in via https too. Use HTTP keep alives; all overhead is on initial connection.
On Saturday, January 30, 2010, rob ganly <robert.ga...@gmail.com> wrote: > hi david, > from what i gather it is stating not that you MUST use plaintext over HTTPS > but that if you are using plaintext then you should ONLY do so over HTTPS. >>> and PLAINTEXT only for secure (HTTPS) requests. > > i agree that it isn't entirely clear in the documentation, but that's what i > *think* it means, perhaps someone could confirm this? i am considering using > https for this also so am also eager to find out for certain. > > rob ganly > On Sat, Jan 30, 2010 at 2:26 PM, David King <da...@1daylater.com> wrote: > > Currently I'm using HMAC-SHA1 over HTTP and have been considering > adding in SSL to my app, but am slightly confused as to what is more > appropriate. Obviously I'll be losing a *lot* of speed with SSL, and > from reading the specification I'm unclear whether it's actually > necessary. For example: > > http://oauth.net/core/1.0a/#rfc.section.A.1 > > Seems to state that when using HTTPS I must use PLAINTEXT for my > signatures - can someone help me understand whether one is more secure > than the other, and if possible a recommendation of what to go for. I > take a lot of cues from Twitter (who are using HMAC-SHA1 and HTTP) > cause I'd like to imagine their herds of boffins have thought of most > scenarios... > > What do you think? > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oa...@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > > > > > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oa...@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > -- -- John Panzer / Google jpan...@google.com / abstractioneer.org / @jpanzer -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.