I agree with the factual information, but I disagree with the conclusion.
Indeed, there were postings from people who will "bake secrets into
installed applications." But there have also been postings from people
(like Torsten and me) who said they "will use real secrets and rely on
them."
I don't see why the latter group has to be ignored, but I surely
disagree that "people are going to ignore what the spec says on this."
Igor
On 6/16/2011 4:30 PM, Brian Eaton wrote:
On Thu, Jun 16, 2011 at 1:25 PM, Torsten Lodderstedt
<tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:
no I'm saying people will use real secrets and rely on them - just
as with OAuth 1.0
=)
People are going to ignore what the spec says on this. If you read
through the mailing list threads on this topic, you'll notice several
people have stated quite clearly that they are going to be baking
secrets into installed applications, and that they think they have
reasonable mitigations in place for the security risk.
It's not that those people are dumb, either. They understand exactly
what they are doing. And their native applications are not going to
be any less secure because of the choices they are making.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
