On 2010-03-12, at 10:22 AM, Eve Maler wrote:
> This nets out to the requesting party (person or company seeking access)
> having an incentive to say "It's really me accessing this", such that it
> mitigates the risk that the requester (client) will hand off both the access
> token and the signing secret to a third party.
Note I am NOT a security expert, and would appreciate an education on where I
am wrong.
When I look at this, I question if there really is that much more value in the
Client having two secret items over one secret item.
I can see an advantage with something like using RAS, in that only the Client
should have the private key, and if the private key can be used for lots of
things, then there is some difference between a token and the private key. With
symmetric keys, multiple parties have the keys, so non-repudiation is not
possible.
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
