> -----Original Message----- > From: Robert Sayre [mailto:say...@gmail.com] > Sent: Friday, June 10, 2011 11:37 AM > To: Adam Barth > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: Why not use a server-supplied nonce (was: HTTP MAC > Authentication Scheme) > > On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth <i...@adambarth.com> wrote: > > On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <say...@gmail.com> wrote: > >> Let's call my proposed addition the "opaque" parameter. The client > >> sends it back unchanged, just like the id. > > > > That already exists in the scheme. It's just the value of the cookie. > > > >> This is just one use of an opaque field that servers might want to > >> try. I suppose this data could get stuffed into the SID too. Is that > >> the idea? > > > > Yep. > > OK, this is all much clearer. Could the draft include these explanations and > examples? It seems like the draft is obfuscated right now. Why not just > plainly state something similar to > > "This mechanism really just adds a little more security to session cookies." > > in the introduction? I hope it isn't because of HTTP religion or something > like > that.
We can make it clearer with regard to session cookies, but overall, the mechanism is just a cleanup of the OAuth 1.0 MAC functionality. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
