I just wanted to bring these points up, but Torsten got there first!
It only remains for me then to +1 on both.
Igor
Torsten Lodderstedt wrote:
Eran,
- Authentication schemes
You propose to use the authentication scheme name "OAuth2" for the
WWW-Authenticate header but another scheme name "MAC" for the
authorization header. I've never seen such an asymmetric approach
before. Don't you think people get confused about that? Moreover, the
bearer draft also uses the name "OAuth2" in the authorization header.
Why this difference? Why don't you just add some parameters to the
"OAuth2" scheme?
- 6.3. Spoofing by Counterfeit Servers
The protocol does not support server authentication
but it should prevent token abuse by the Counterfeit
server, shouldn't it?
regards,
Torsten.
Am 09.01.2011 18:18, schrieb Eran Hammer-Lahav:
http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token
Feedback appreciated, especially for section 3.2.1 (the new
normalized request string) which is an attempt to take the HMAC-SHA1
flow from 1.0a and simplify it.
No body signature support yet, but will add that in -01.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
------------------------------------------------------------------------
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
