On Mar 8, 2010, at 3:35 PM, Dick Hardt wrote: > > > 2) Client signed tokens are no more secure in MITM attacks than bearer tokens > for on-the-fly attacks. If the attacker can disrupt the channel, the attacker > can take the signed token and use it to make a valid call just as if it was a > bearer token. Imagine the attacker disrupting every other request, and using > the valid token to make an API call.
I think that what you mean here is that the MITM steals (at least the signed portion of) the request as well as the token. If the MITM has to sign a request it created itself, even with a stolen token, it will (or should) not have access to the secret key assigned to a properly-provisioned client, and thus cannot authenticate correctly to the recipient. Regards, - johnk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
