On Fri, Mar 12, 2010 at 10:22 AM, Eve Maler <e...@xmlgrrl.com> wrote: > It was observed that the argument in the OAuth community about token size > seems to be related to token signing, thusly: those who are willing to > require the Authorization Server to be stateless need large meaningful > tokens and want them signed; those who can use a stateful Authorization > Server can use small opaque tokens that don't need signing.
This seems orthogonal. The confusion in this working group has not, for the most part, been about whether access tokens should be signed. The debate has been more about whether clients need to use signatures when requesting access tokens, or when using access tokens. On one side there are people who would prefer bearer tokens, and on the other side there are folks who want crypto in various bits of the protocol to meet different use cases. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
