On Jan 8, 2010, at 9:15 PM, Eran Hammer-Lahav wrote: [...]
> Is there a *good* reason why the 1.0 specification should not mandate using > a secure channel for PLAINTEXT? I guess the question is whether you want implementations using other methods to ensure confidentiality and which don't need other security properties (servers on an intranet, for example, firewalled/VPN'd from the general Internet) to become non-conforming? > The only reason not to make the change is if there are existing deployed use > cases where PLAINTEXT is used in such a way. I would imagine that there are deployments of OAuth in environments where they simply want to use PLAINTEXT for authorization, and have existing methods of dealing with other security properties. What is the actual reasoning behind this change? I don't understand why we would suddenly now decide to make some whole class of implementations non-conforming, even if there were only few deployments? Regards, - johnk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
