[Openid-specs-ab] Do we want to remove Encryption?

Nat Sakimura sakimura at gmail.com
Fri May 28 01:35:11 UTC 2010


Thanks John.

That is a strong use case.

=nat

On Fri, May 28, 2010 at 3:56 AM, John Bradley <jbradley at mac.com> wrote:
> It is a requirement for maintaining privacy and security with a smart client or proxy.
>
> It could be an option to the RP authenticating itself via the request for the Authorization token.
>
> If as in the oAuth 2.0 agent flow you ask for the token without the client secret the OP would encrypt the response to the RP.
>
> That probably should be in oAuth 2.0 as a core feature.
>
> Until oAuth adds that I would keep our own encryption as an option.
>
> John B.
> On 2010-05-27, at 2:37 PM, Nat Sakimura wrote:
>
>> At IIW, we were almost removing encryption option from the spec., but
>> I decided to wait until I heard from the wider community.
>>
>> Some feedback that I was getting was that sometimes we want to have
>> the payload level encryption and not rely on the pipe (SSL).
>> SSL sessions are sometimes terminated in the middle and to achieve the
>> end-to-end encryption, payload level encryption is the only way to go.
>>
>> What do you think?
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en


More information about the Openid-specs-ab mailing list