On Tue, Nov 18, 2008 at 7:57 PM, Martin Atkins <[EMAIL PROTECTED]> wrote: > Breno de Medeiros wrote: >> >> At this point, there is no reasonably secure formulation of OAuth >> without key registration. >> >> We hope to add one for the hybrid protocol. >> > > If that is true then OAuth is broken. Wouldn't it be better to fix this > problem in OAuth itself rather than only in the hybrid protocol?
Addressing it at the level of the OAuth spec may be useful also, but it is not really desirable to have the request token step in the hybrid protocol for performance reasons. And any such "fix" for OAuth that will work also for desktop apps will probably involve the request token step (in fact it is not too hard to envision some strategies along those lines). > > Mobile and desktop apps need to be able to use OAuth as well, and since > consumer secrets are impractical for such apps there has to be a way to use > OAuth without consumer secrets in order to support them. The hybrid protocol > is not appropriate for desktop/mobile apps, so fixing it at this level does > not address the problem. > > Cheers, > Martin > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
