Other than injecting identification into OAuth explicitly, *and* then
using a uniform identification system on both the consumer and service
provider side (e.g. OpenID), strong equivalence -- test(B==C) -- is
impossible. And if identification in any one case is associated with
a
On Mon, Apr 27, 2009 at 9:42 AM, Eve Maler eve.ma...@sun.com wrote:
Other than injecting identification into OAuth explicitly, *and* then
using a uniform identification system on both the consumer and service
provider side (e.g. OpenID), strong equivalence -- test(B==C) -- is
impossible.
Peter, thanks for putting the PIN idea in context for me. This is
perhaps a dumb question, but since testing equivalence of the *user*
(a bag of protoplasm) is sort of a last-mile problem anyway, and since
-- if I'm understanding the long Security Advisory discussion thread
correctly --
On Mon, Apr 27, 2009 at 10:50 AM, Eve Maler eve.ma...@sun.com wrote:
Peter, thanks for putting the PIN idea in context for me. This is
perhaps a dumb question, but since testing equivalence of the *user*
(a bag of protoplasm) is sort of a last-mile problem anyway, and since
-- if I'm
Peter Keane wrote:
On Mon, Apr 27, 2009 at 10:50 AM, Eve Maler eve.ma...@sun.com wrote:
Peter, thanks for putting the PIN idea in context for me. This is
perhaps a dumb question, but since testing equivalence of the *user*
(a bag of protoplasm) is sort of a last-mile problem anyway, and
On Apr 26, 2009, at 12:32 AM, Nat Sakimura wrote:
I agree that 2. test(B==C) , i.e., verify that the user at B is the
same user at C is
not the same as 2b. min Prob(B!=C).
The former is clearly more desirable.
+1
If someone logs in to the both sites using something like OpenID,
then
=...@san Francisco via iPhone
On 2009/04/26, at 5:38, John Kemp j...@jkemp.net wrote:
On Apr 26, 2009, at 12:32 AM, Nat Sakimura wrote:
I agree that 2. test(B==C) , i.e., verify that the user at B is the
same user at C is
not the same as 2b. min Prob(B!=C).
The former is clearly more
Sorry:
Almost all of the proposed solution attempt to minimize the
possibility that user at B is NOT the same as user at C.
is what it should say...
On Apr 25, 10:19 pm, pkeane pjke...@gmail.com wrote:
Here is an attempt to help spell out the OAuth security in simple
terms and thus provide a
I agree that 2. test(B==C) , i.e., verify that the user at B is the
same user at C is
not the same as 2b. min Prob(B!=C).
The former is clearly more desirable.
If someone logs in to the both sites using something like OpenID,
then it is trivially achieved without much user interaction impact,