On Wed, Jul 14, 2010 at 2:28 PM, William Mills <wmi...@yahoo-inc.com> wrote: > We're trying to design around transport security with short expiration > and single use tokens. SSL solves the problem.
No, we're not, and no, it doesn't. The issue here is not that tokens are sent over unencrypted channels, or unauthenticated channels. The issue here is that browsers make it hard for server A to pass information through the client in such a way that only server B can read the information. I have some notes on the challenges here: http://www.ietf.org/mail-archive/web/oauth/current/msg03662.html. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
