Agreed that token signing is separate from message signing as a proposition. I
just happened to stick all of our "signing" conversations into one bucket of
notes... Sorry that was confusing.
Eve
On 12 Mar 2010, at 11:06 AM, Brian Eaton wrote:
> On Fri, Mar 12, 2010 at 10:22 AM, Eve Maler <e...@xmlgrrl.com> wrote:
>> It was observed that the argument in the OAuth community about token size
>> seems to be related to token signing, thusly: those who are willing to
>> require the Authorization Server to be stateless need large meaningful
>> tokens and want them signed; those who can use a stateful Authorization
>> Server can use small opaque tokens that don't need signing.
>
> This seems orthogonal. The confusion in this working group has not,
> for the most part, been about whether access tokens should be signed.
>
> The debate has been more about whether clients need to use signatures
> when requesting access tokens, or when using access tokens. On one
> side there are people who would prefer bearer tokens, and on the other
> side there are folks who want crypto in various bits of the protocol
> to meet different use cases.
>
> Cheers,
> Brian
Eve Maler
e...@xmlgrrl.com
http://www.xmlgrrl.com/blog
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
