On Wed, Jun 15, 2011 at 3:50 PM, Shane B Weeden <swee...@au1.ibm.com> wrote:
> Brain - can you elaborate on that a little? Are you suggesting that clients > that can't keep secrets use a dummy (notasecret) pwd anyway to satisfy > "requiring client authentication"? > Or use random secrets. Whatever floats your boat and keeps your product managers happy. It does not make a practical security difference for installed applications. What seems to be missing in the discussion and the security considerations > of the spec is a decent list of general and grant-type-specific security > implications/pros/cons for the system if meaningful client authentication > at the token endpoint is available or not available. > Yep.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
