On Fri, Mar 19, 2010 at 8:44 AM, wrote:
> Hi,
>
> It appears that people agree excessive token length could be an issue for
> interoperability, but opinions vary on how long tokens could/should/must be.
> Relatively long tokens will occur when encoding data associated with the
> user (access righ
On Fri, Mar 19, 2010 at 1:28 PM, Ethan Jewett wrote:
> I don't think so. In the OpenSocial case, the only "OAuth Consumer"
> per se is the OpenSocial container. The gadget is not making signed
> requests and is completely trusting the container to represent it
> properly to the OAuth Provider. In
On Fri, Mar 19, 2010 at 2:16 PM, Ethan Jewett wrote:
> On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton wrote:
>> Plaintext doesn't work in this context, because it sends long-lived
>> secrets in clear-text to servers that are under the control of the
>> application author, or, in the case of gadgets
Accidentally sent the following directly to Brian instead of the list.
I'll try again
On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton wrote:
> Plaintext doesn't work in this context, because it sends long-lived
> secrets in clear-text to servers that are under the control of the
> application a
On Fri, Mar 19, 2010 at 2:45 PM, Brian Eaton wrote:
>
> Ah, the other reason plaintext doesn't work is because one of the
> goals is to guarantee the integrity of the identity information passed
> in the request - neither the application author nor the viewer of the
> application is permitted to t
I've updated the agenda to reflect our room change and some adjustments
to presenters and times.
http://www.ietf.org/proceedings/10mar/agenda/oauth.txt
Peter
--
Peter Saint-Andre
https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_
On Fri, Mar 19, 2010 at 11:44 AM, Brian Eaton wrote:
> Plaintext doesn't work in this context, because it sends long-lived
> secrets in clear-text to servers that are under the control of the
> application author, or, in the case of gadgets, everyone viewing the
> gadget.
Ah, the other reason pla
On Fri, Mar 19, 2010 at 10:52 AM, Ethan Jewett wrote:
> If I'm reading correctly, if the gadget chooses to use the container's
> private key, then that is making use of the RSA signature mechanism.
> If the gadget chooses to use the container's shared secret, then that
> is the HMAC-SHA1 signature
I think 4.5 should read "iLike gadget can choose to sign request with
MySpace's private key or with a shared secret between iLike &
MySpace."
If I'm reading correctly, if the gadget chooses to use the container's
private key, then that is making use of the RSA signature mechanism.
If the gadget ch
Hi,
It appears that people agree excessive token length could be an issue
for interoperability, but opinions vary on how long tokens
could/should/must be. Relatively long tokens will occur when encoding
data associated with the user (access rights, group memberships, etc.),
and integrity prot
Dear people in OAuth and other HTTP related mailing lists,
Last month I updated the draft for HTTP Mutual Access Authorization
Protocol proposal (draft-oiwa-http-mutualauth-06).
A full announcement has been already sent to OAuth WG mailing list.
If you are interested, please see an article in OAut
11 matches
Mail list logo
