Melinda Shore wrote:
On 09/06/2011 11:11 AM, Jill Burrows wrote:
I repeat, it is not an OAuth problem.
If I'm reading Mike correctly (and if I'm not it won't be the
first time I've misunderstood him), he's not really asking for
OAUTH to solve this particular problem but to clarify the
documents and beef up discussions of what is and is not in
scope. He read the document and couldn't figure out whether
or not this particular problem is the business of the working
group.
I'm fairly certain that if somebody were deploying oauth for their servers
that unless the document told me that oauth doesn't provide protection
against third party snooping if it's embedded in any app, most people wouldn't
have a clue that that was a dangerous assumption.
What this says is that oauth only works in one use case, and that only the
user can tell the difference. Given the proliferation of phone apps and
embedded webviews, it seems that the original assumptions of oauth are
no longer up to date.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
