Dick Hardt wrote:
2) Client signed tokens are no more secure in MITM attacks than bearer tokens for on-the-fly attacks. If the attacker can disrupt the channel, the attacker can take the signed token and use it to make a valid call just as if it was a bearer token.
I don't understand. How will MITM be authenticated in this case? To determine whether the call is *valid*, the signature need to be checked against the identity of the presenter of the token.
Igor _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
