On Tue, Jun 7, 2011 at 5:43 PM, William J. Mills <wmi...@yahoo-inc.com> wrote: > MAC adds security if the initial secret exchange is secure, and it provides > a definition for signing payload as part of the request.
Not if the MAC doesn't protect enough of the request _and_ response to prevent active attacks. Unless you don't care about those attacks (which some of you have indicated), in which case why bother with the MAC at all? Nico -- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
