[Openid-specs-ab] Do we want to remove Encryption?
sakimura at gmail.com
Fri May 28 01:35:11 UTC 2010
That is a strong use case.
On Fri, May 28, 2010 at 3:56 AM, John Bradley <jbradley at mac.com> wrote:
> It is a requirement for maintaining privacy and security with a smart client or proxy.
> It could be an option to the RP authenticating itself via the request for the Authorization token.
> If as in the oAuth 2.0 agent flow you ask for the token without the client secret the OP would encrypt the response to the RP.
> That probably should be in oAuth 2.0 as a core feature.
> Until oAuth adds that I would keep our own encryption as an option.
> John B.
> On 2010-05-27, at 2:37 PM, Nat Sakimura wrote:
>> At IIW, we were almost removing encryption option from the spec., but
>> I decided to wait until I heard from the wider community.
>> Some feedback that I was getting was that sometimes we want to have
>> the payload level encryption and not rely on the pipe (SSL).
>> SSL sessions are sometimes terminated in the middle and to achieve the
>> end-to-end encryption, payload level encryption is the only way to go.
>> What do you think?
>> Nat Sakimura (=nat)
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
More information about the Openid-specs-ab