If we were using PKCS#7 for certs, then why not PKCS#7 the payload as well?
(No - I am not proposing to do it. Doing so with AES-128,192,256 is
prohibitive in some language such as PHP, but just as a point of
discussion to close this.)
On Tue, Jun 22, 2010 at 6:33 PM, Ben Laurie wrote:
> On 22 J
Hi David,
Good to see you on Saturday.
This is what I was referring to over the lunch.
Separate endpoint still does not seem to meet the current section 3.
=nat
-- Forwarded message --
From: Nat Sakimura
Date: Tue, Jul 13, 2010 at 11:51 AM
Subject: Alternative ways to pass Aut
Thanks for sharing Paul!
On 2010-07-26, at 3:18 PM, Paul Tarjan wrote:
> Facebook released an early version of the proposed signature method, with the
> aim of getting real-life implementation experience. We are not currently
> using this for protected resource requests, but rather more like if
On Mon, Jul 26, 2010 at 4:11 PM, Eran Hammer-Lahav wrote:
> How do you link the client_id using in the authorization endpoint with the
> client assertion using in the token endpoint?
In theory:
"any document that defines how to use an assertion of a particular
type with OAuth 2.0 MUST define ho
How do you link the client_id using in the authorization endpoint with the
client assertion using in the token endpoint?
EHL
> -Original Message-
> From: Brian Eaton [mailto:bea...@google.com]
> Sent: Monday, July 26, 2010 3:51 PM
> To: Eran Hammer-Lahav
> Cc: Yaron Goland; oauth@ietf.or
On Mon, Jul 26, 2010 at 2:08 PM, Eran Hammer-Lahav wrote:
> I understand that in many assertions, the client identifier is established
> internally, but this approach will completely prevent using the assertion
> client authentication method with other flows that involve getting a code.
I'm prett
Facebook released an early version of the proposed signature method, with the
aim of getting real-life implementation experience. We are not currently using
this for protected resource requests, but rather more like if the authorization
server returned signed data as part of the access token res
By not incorporating the client_id parameter, you are preventing this client
authentication mode from being used with the end-user authorization endpoint.
In -09 I tried to separate the client_id from the client_secret, basically
moving the client_id to the token endpoint as an endpoint paramete
The following is proposed language for inclusion in the spec as section 2.2. I
would like to thank Brian Campbell, Brain Eaton, Chuck Mortimore, Dirk Balfanz,
Eric Sachs, Justin Smith and Marius Scurtescu for taking the time to review and
improve this proposal. Please note that the named folks c
Correct. If the user has to approve the response, then it doesn't function as
an open redirector. I'm only worried about returning an error immediately.
On Jul 26, 2010, at 10:29 AM, Marius Scurtescu wrote:
> On Mon, Jul 26, 2010 at 5:07 AM, Richer, Justin P. wrote:
>> And this is even a bigger
On Mon, Jul 26, 2010 at 5:07 AM, Richer, Justin P. wrote:
> And this is even a bigger potential problem when you combine it with
> unregistered or dynamically-registered clients, which we know some instances
> are going to support. In these cases, though, it's hard to trust *any* URL
> that the
And this is even a bigger potential problem when you combine it with
unregistered or dynamically-registered clients, which we know some instances
are going to support. In these cases, though, it's hard to trust *any* URL that
the client is asking for, even for valid responses.
-- justin
12 matches
Mail list logo
