2010/1/9 John Kemp <j...@jkemp.net>: > On Jan 8, 2010, at 9:15 PM, Eran Hammer-Lahav wrote: > > What is the actual reasoning behind this change? I don't understand why we > would suddenly now decide to make some whole class of implementations > non-conforming, even if there were only few deployments?
Eran did ask if anyone was using OAuth PLAINTEXT without SSL; that said, I don't think that it matters if anyone is using PLAINTEXT with SSL; the spec should outline the basis for interop, and implementations that want to be interoperable and secure MUST check to see that SSL is being used for PLAINTEXT (especially server implementations). Implementations are always free (as in free country) to have special flags that disable the security checks and put their OAuth implementation into non-spec-compliant mode. The same sort of principle applies to TLS client implementations; the certificate chain MUST be checked as per the specification, but many clients allow developers just issue warnings or provide flags to turn off the warnings that the certificate chain checks are not being performed. Even though silenced warnings that your TLS connections are insecure is bad, it's better than the authors of TLS libraries not having to consider those warnings at all. b. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
