On Fri, Jun 10, 2011 at 3:19 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: >> -----Original Message----- >> From: Robert Sayre [mailto:say...@gmail.com] >> Sent: Friday, June 10, 2011 11:37 AM >> To: Adam Barth >> Cc: Eran Hammer-Lahav; OAuth WG >> Subject: Re: Why not use a server-supplied nonce (was: HTTP MAC >> Authentication Scheme) >> >> On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth <i...@adambarth.com> wrote: >> > On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <say...@gmail.com> wrote: >> >> Let's call my proposed addition the "opaque" parameter. The client >> >> sends it back unchanged, just like the id. >> > >> > That already exists in the scheme. It's just the value of the cookie. >> > >> >> This is just one use of an opaque field that servers might want to >> >> try. I suppose this data could get stuffed into the SID too. Is that >> >> the idea? >> > >> > Yep. >> >> OK, this is all much clearer. Could the draft include these explanations and >> examples? It seems like the draft is obfuscated right now. Why not just >> plainly state something similar to >> >> "This mechanism really just adds a little more security to session cookies." >> >> in the introduction? I hope it isn't because of HTTP religion or something >> like >> that. > > We can make it clearer with regard to session cookies, but overall, the > mechanism is just a cleanup of the OAuth 1.0 MAC functionality.
I might be helpful to have a clear example flow of how to use this mechanism in a normal session-cookie set up. I think that would address some of the questions we've been getting. Adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
