On 1/15/10 10:29 AM, "John Panzer" <jpan...@google.com> wrote: > I think the question at hand is: If a server says it wants to do bearer > tokens and no TLS, is a client obligated to interop in order to claim spec > compliance? Its a tricky question because HTTPS is not a parameter or extension you negotiate. It is dictated by the URI of the protected resource you are trying to access, and clients should never assume that the http:// resource is the same as the https:// resource, just with more/less security. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Allowing Secrets in the Clear Ov... Richard L. Barnes
- Re: [OAUTH-WG] Allowing Secrets in the Clea... Eran Hammer-Lahav
- Re: [OAUTH-WG] Allowing Secrets in the Clea... John Kemp
- Re: [OAUTH-WG] Allowing Secrets in the ... Eve Maler
- Re: [OAUTH-WG] Allowing Secrets in... John Panzer
- Re: [OAUTH-WG] Allowing Secret... Hurliman, John
- Re: [OAUTH-WG] Allowing Secret... John Panzer
- Re: [OAUTH-WG] Allowing Secret... Richard L. Barnes
- Re: [OAUTH-WG] Allowing Secret... John Panzer
- Re: [OAUTH-WG] Allowing Secret... Richard L. Barnes
- Re: [OAUTH-WG] Allowing Secret... Eran Hammer-Lahav
- Re: [OAUTH-WG] Allowing Secrets in the Clear Over Insecu... Paul C. Bryan
- Re: [OAUTH-WG] Allowing Secrets in the Clear Over Insecu... David Recordon