On 9/6/2011 2:23 PM, Michael Thomas wrote:
...
How, exactly, is the user supposed to protect themselves against rogue
apps?
...
There are a number of ways: 1) Buy shrink-wrapped software only, 2)
Inspect the source code of every application, etc... The mobile network
providers solve this problem by allowing ONLY applications signed with a
special key to run.
Is oauth only intended to be used on standalone trustable web
browsers? I don't recall
seeing that anywhere.
When it comes to browsers, yes the user is supposed to trust them. But
OAuth is expected to work with the native applications, too (you may
find several interesting threads in the archive on that). In both cases,
ensuring that the application is not evil is a basic administrative
problem. It is not an OAuth problem for two reasons: 1) Whatever would
make OAuth fail here will make any other protocol fail; 2) Neither
OAuth nor any other protocol can deal with key logging.
Igor
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
