Where would you suggest I add this? EHL
> -----Original Message----- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Monday, July 25, 2011 10:42 AM > To: Eran Hammer-Lahav > Cc: tors...@lodderstedt-online.de; oauth@ietf.org > Subject: Re: [OAUTH-WG] redirect uri validation > > Hi Eran, > > >>> OAuth 1.0 was highly criticized for failing to address client > >>> identity in public clients. I believe OAuth 2.0 offers a much better > >>> story, within the boundaries>of what’s possible today. > >> Agreed. I think we must honestly discuss the value of client > >> authentication/identification itself. I personally think it is > >> over-emphazised right now. The strength of OAuth 2.0 is that it > >> allows solutions where neither client nor resource server have access or > do store end-user credentials. > >> Client authentication is nice but not the main feature. > > Do you have any specific suggestions not already mentioned on the list? > > I would suggest to mention that while an invalid redirect_uri indicates a > counterfeit clients a valid redirect does not prove the calling client's > identity. > > regards, > Torsten. > > > > EHL > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
