On Jun 1, 2011, at 6:54 PM, Brian Eaton wrote: >> (Some web apps might not be able to keep secrets based on open development >> or deployment model). > > Can you clarify what you mean by this?
Simple really, I just mean for some developers it might be more important to have an open development model (eg, over github) than to secure secrets. Rather than request and manage a secret for their project, they just choose to make the project a forgeable app. Let's say it's a Rails app deployed to Heroku and for convenience the team doesn't want to add a build step where a protected secret is brought down from a private repo. It's not a native app, but because of how the team works they can't (or won't) secure a secret. What's in production is exactly whats in a public github branch. Systems like Heroku are blurring the line between source control and deployment. So you can imagine 3rd party apps, especially voluntary contributions and hack day output being totally transparent from code to server. For some web apps it just won't be a priority to secure a secret. That's all I'm implying. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
