Thanks George. My response is inline. On Thu, Jul 29, 2010 at 2:51 PM, George Fletcher <gffle...@aol.com> wrote: > Question. In the proposal, how does google know that the request is being > presented by "acct:dbou...@cliqset.com"? Is the secret used for the magic > signature in the first request, the user's private key? So in this case > cliqset.com would have dbounds' private key in order to generate the > signature? (This seems to be implied from the oauth-push doc; at least from > my reading).
Google would perform a WebFinger on the acct: URI, discovery XRD (http://cliqset.com/etc/webfinger/?q=acct:dbou...@cliqset.com). The XRD would present my Magic Signature Key which would be used to verification the signature in the assertion. > I love the idea of allowing access to protected resources by individuals > that do not have an "account" at the provider. This is a critical next step > in the set of capabilities supported by OAuth and other technologies. > However, I'm not quite show how the provider verifies the presented user > identifier. Meaning, how does the provider protect against me specifying > someone else's identifier and getting access to the protected resource. The actions mentioned above ensure the assertion was made by cliqset.com and not spoofed. References: http://code.google.com/p/webfinger/wiki/WebFingerProtocol http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html -- darren bounds dar...@cliqset.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
