[Openid-specs-ab] Do we want to remove Encryption?

John Bradley jbradley at mac.com
Thu May 27 18:56:35 UTC 2010


It is a requirement for maintaining privacy and security with a smart client or proxy.

It could be an option to the RP authenticating itself via the request for the Authorization token.

If as in the oAuth 2.0 agent flow you ask for the token without the client secret the OP would encrypt the response to the RP.

That probably should be in oAuth 2.0 as a core feature.

Until oAuth adds that I would keep our own encryption as an option.

John B.
On 2010-05-27, at 2:37 PM, Nat Sakimura wrote:

> At IIW, we were almost removing encryption option from the spec., but
> I decided to wait until I heard from the wider community.
> 
> Some feedback that I was getting was that sometimes we want to have
> the payload level encryption and not rely on the pipe (SSL).
> SSL sessions are sometimes terminated in the middle and to achieve the
> end-to-end encryption, payload level encryption is the only way to go.
> 
> What do you think?
> 
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100527/e616d8a9/attachment.bin>


More information about the Openid-specs-ab mailing list