So we can define something much simpler than Oauth 1.0, where the complexity was around normalizing the parameters, and if you want to implement signing you have to be able to know what you are actually sending, yes?
I'm OK with having some frameworks not capable of signing without being fixed. > -----Original Message----- > From: Roy T. Fielding [mailto:field...@gbiv.com] > Sent: Friday, May 28, 2010 11:28 AM > To: William Mills > Cc: Eran Hammer-Lahav; Brian Eaton; oauth@ietf.org > Subject: Re: [OAUTH-WG] FW: Duplicating request component in > an HTTP authentication scheme > > On May 28, 2010, at 9:21 AM, William Mills wrote: > > > I thought one of the fundamental ugly problems is that the client > > doesn't actually know the full URL authoritatively in all > frameworks, > > because variables get appended to the query string in an > unknown order > > in some cases? > > If the client doesn't know exactly what it is sending, then > it isn't a secure client and any signature it might provide > is bogus, by definition. Why do you bother to consider such > a case? Let the clients fix their own technology. > > ....Roy > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth