Hi all, I also wanted to respond to various ideas that were entertained, including adding salt into the hash function and also for including other parameters in the hash.
Before adding new functionality we have to talk about the threats we are trying to address. For example, adding salt just makes the server do more computation. That wouldn't be useful as such. Adding other parameters into the hash function (such as the client/server identifiers) is indeed a common technique with key derivation functions. Here I wasn't able to come up with the attack that we would prevent by doing so. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
