Hey Allen, Thanks for the feedback! I'm planning to remove the client secret from the signature mechanism as I heard this from someone else as well.
--David On Mon, Mar 22, 2010 at 4:20 PM, Allen Tom <a...@yahoo-inc.com> wrote: > Hi All - > > Regarding the client secret - one of the design goals for OAuth-WRAP was to > cleanly separate the AuthZ server from the Protected Resource. The Protected > Resource should only have to know how to validate Access Tokens issued by > its AuthZ server. > > The HMAC-SHA1 signature method defined in 4.2.1.1 of the Oauth 2.0 spec > violates this principle because it requires the protected resource to have > the client secret in order to validate the signature. Distributing the > client secret to all Protected Resources can have negative security and > performance implications. > > http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#compute_sig > > I recommend removing the client secret from the signature calculation, and > instead using only the Access Token secret. > > Allen > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
