On Thu, May 27, 2010 at 6:48 PM, Blaine Cook <rom...@gmail.com> wrote: > On 28 May 2010 02:21, Brian Eaton <bea...@google.com> wrote: >> OAuth 1.0 was unusual in that it required that the server match a hash >> of the URL, rather than the real URL. It's an extra layer of >> indirection and complexity. It doesn't improve security. > > To be more precise, OAuth 1.0 required that the server match a > normalised form of the URL. You're absolutely correct that it doesn't > improve security [over matching the URL], but it *is* more secure than > either not proving that the token bearer provided the URL in the first > place or having the client and server match potentially different > versions of the URL.
Cool. Glad we can put Roy's security concern to rest, at least. Bearer tokens vs signed requests is a separate issue entirely. > Which is all to say that it is indeed complex, but much of that > complexity is a result of HTTP libraries trying to hide complexity > from users. I'd echo Roy's assertion that as library support improves, > approaches to URL normalisation will become hidden behind the same > layers of abstraction as constructing query strings and request URIs > are today. I think we're going to get some real data on which approach is easier soon. =) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
