> On 15/04/2010 07:52, Brian Eaton <bea...@google.com> wrote: >> As a security person, I'm hesitant to bring this up, but perhaps the Device >> Flow should just be the flow for native client apps.
>I'm open to this. >For native apps: the native app can open a web browser with the device >code on the URL. The code can be very long and impossible to >brute-force. The session fixation/phishing attack still exists, but I >agree that could be addressed with good UI. What is the benefit in combining Native flow and Device flow and then having to expend effort preventing any ingenious phishing attacks? Mark McGloin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth