Hi Prateek, > I would like to strongly disagree with this proposal. > > It amounts to explicitly making OAuth 2.0 insecure so as to > satisfy some mysterious and unspecified set of legacy OAuth > 1.0 deployments. > > The SAML web SSO (artifact) profile - which shares many > characteristics with the initial steps in OAuth - requires > precisely such a counter-measure and is widely implemented > in 1000s of deployments.
What counter-measure is this? Can you provide a reference? Section 4.1.3.5 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf recommends TLS but does not require it. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
