Am 16.06.2011 22:02, schrieb Brian Eaton:
On Thu, Jun 16, 2011 at 12:56 PM, Torsten Lodderstedt
<tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:
Certainly not. Are we discussing to make client authentication
required just for syntactical purposes?
That is what I'd like to see.
From my perspective, no harm is done by making client authentication a
syntactical requirement of the protocol.
- clients that can't keep secrets aren't harmed; they have the exact
same security they do today.
- everyone else benefits because the spec becomes simpler and more
consistent.
No, it's not simpler nor clearer. Such a client secret is useless, so
the security implications have to be explained anyway. Moreover,
whatever the spec will state people would start to _rely_ on client
secrets even for native apps, which is a really bad idea.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
