On Tue, Jul 13, 2010 at 2:59 PM, Brian Eaton <bea...@google.com> wrote:
> the question is what happens if both the > signing key and the token database get compromised. > > Now that I think of it, you may have issues if the signing key alone > is compromised. It depends how much other entropy you've added to the > tokens... > Um, if the signing key is lost, you're sunk. Forget about the database, with the signing key you can forge your own tokens till doomsday (which will come much more quickly). The keys are definitely the most confidential part of the system, naturally.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
