-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/15/2011 10:08 PM, Greg Brail wrote:
> I understand and thanks for clarifying. I agree that there may be services
> that do not want to support HTTP Basic at all for their authorization
> flows and that requiring it would weaken the security of OAuth 2.0 and
> prevent its usage by some applications.
Thats why I said that whenever you have negotiation you must think
about downgrade attacks. There are ways to mitigate those - for instance
by re-examining the available methods/mechanisms once a secure channel
has been established.
Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5ycJEACgkQ8Jx8FtbMZneO6QCfRWB6q7W7P5fZFOsNJKd6NT91
9E4AoJI3h6sB2O0ZZAQqt4OT4B4HG5T3
=+/QY
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
