[Openid-specs-ab] Do we want to remove Encryption?

Nat Sakimura sakimura at gmail.com
Fri May 28 01:35:11 UTC 2010

Thanks John.

That is a strong use case.


On Fri, May 28, 2010 at 3:56 AM, John Bradley <jbradley at mac.com> wrote:
> It is a requirement for maintaining privacy and security with a smart client or proxy.
> It could be an option to the RP authenticating itself via the request for the Authorization token.
> If as in the oAuth 2.0 agent flow you ask for the token without the client secret the OP would encrypt the response to the RP.
> That probably should be in oAuth 2.0 as a core feature.
> Until oAuth adds that I would keep our own encryption as an option.
> John B.
> On 2010-05-27, at 2:37 PM, Nat Sakimura wrote:
>> At IIW, we were almost removing encryption option from the spec., but
>> I decided to wait until I heard from the wider community.
>> Some feedback that I was getting was that sometimes we want to have
>> the payload level encryption and not rely on the pipe (SSL).
>> SSL sessions are sometimes terminated in the middle and to achieve the
>> end-to-end encryption, payload level encryption is the only way to go.
>> What do you think?
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)

More information about the Openid-specs-ab mailing list