> -----Original Message----- > From: Tim [mailto:tim-proje...@sentinelchicken.org] > Sent: Wednesday, June 08, 2011 8:32 AM
> At risk of repeating myself: Why not just adapt HTTP Digest for OAuth? > That is not just rhetorical, it is a genuine question. What is HTTP Digest > missing that you need? The latest version of this draft: http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00 Includes a Design Constraints section which tries to explain this: Unlike the HTTP Digest authentication scheme, this mechanism does not require interacting with the server to prevent replay attacks. Instead, the client provides both a nonce and a timestamp, which the server can use to prevent replay attacks using a bounded amount of storage. Also unlike Digest, this mechanism is not intended to protect the user's password itself because the client and server both have access to the key material in the clear. Instead, servers should issue a short-lived derivative credential for this mechanism during the initial TLS setup phase. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
