Re: [OAUTH-WG] Twitter signature delegation use case
Brian Eaton <beaton@google.com> Tue, 16 March 2010 00:19 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D6C43A6BD5 for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 17:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.963
X-Spam-Level:
X-Spam-Status: No, score=-105.963 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAgxSo4OH8cW for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 17:19:43 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id E79363A6C39 for <oauth@ietf.org>; Mon, 15 Mar 2010 17:19:27 -0700 (PDT)
Received: from hpaq5.eem.corp.google.com (hpaq5.eem.corp.google.com [10.3.21.5]) by smtp-out.google.com with ESMTP id o2G0JVGw010779 for <oauth@ietf.org>; Mon, 15 Mar 2010 17:19:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1268698771; bh=ffV69wVXqNoPy/ioD1t1Q9bwkxk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=LQatjDbDPL0WXrcKHrPG4/j966jW61hye/pEmmjUvRhWcbJ6DdHLvLHg1/2b6R06E zeh8xObxWizNdgpz3rIlw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=oLMI6yJutP63hqH0ejNKjW2u2m63nS63rZWCOhPddNHdPu8HAfySQmNoHOkMwWZil zxRb3bbGfx7uuXK1B2VGw==
Received: from vws14 (vws14.prod.google.com [10.241.21.142]) by hpaq5.eem.corp.google.com with ESMTP id o2G0ILGr006766 for <oauth@ietf.org>; Tue, 16 Mar 2010 01:19:30 +0100
Received: by vws14 with SMTP id 14so1244003vws.13 for <oauth@ietf.org>; Mon, 15 Mar 2010 17:19:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.47.219 with SMTP id o27mr2070395vcf.189.1268698769414; Mon, 15 Mar 2010 17:19:29 -0700 (PDT)
In-Reply-To: <fd6741651003121242n5b24ef4cib75b4357e1a0f62@mail.gmail.com>
References: <fd6741651003121242n5b24ef4cib75b4357e1a0f62@mail.gmail.com>
Date: Mon, 15 Mar 2010 16:19:29 -0800
Message-ID: <daf5b9571003151719i32266beayf16fbcbf0469ed89@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: David Recordon <recordond@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>, Raffi Krikorian <raffi@twitter.com>
Subject: Re: [OAUTH-WG] Twitter signature delegation use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 00:19:46 -0000
On Fri, Mar 12, 2010 at 12:42 PM, David Recordon <recordond@gmail.com> wrote: > Was catching up with Raffi from Twitter yesterday and he pointed me > to http://mehack.com/oauth-echo-delegation-in-identity-verificatio. PDF > also attached. My read is that this is basically creating temporary passwords for users. It works well when if all of the twitter relying parties trust each other. It doesn't work if they don't trust each other (in the same way that sharing passwords with sites that don't trust each other is bad.) Have I understood it properly? Cheers, Brian
- [OAUTH-WG] Twitter signature delegation use case David Recordon
- Re: [OAUTH-WG] Twitter signature delegation use c… Brian Eaton