- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 18 Apr 2013 13:54:04 -0400
- To: Daniel Friesen <daniel@nadir-seen-fire.com>
- CC: Martin Thomson <martin.thomson@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, Carsten Bormann <cabo@tzi.org>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Daniel Friesen wrote: > You might want to think twice before you consider https implemented in > anything other than a web browser absolutely secure: > http://hueniverse.com/2010/09/oauth-bearer-tokens-are-a-terrible-idea/ Yeah, good piece by Eran, seen it. In the most basic form of Web Payments, we require HTTPS and HTTP Signatures. For operations that are very sensitive, we require HTTPS, HTTP Signatures, and digitally signed JSON. Amos Jeffries wrote: > Your auth scheme needs to be as self-contained as possible and take > advantage of every little bit of security that it can do without relying > on external layers such as the SSL/TLS layer. It is better to be > doubly-strong when HTTPS works than to depend on it alone break at the > first sign of trouble. See above. We have multiple layers where it's important so hopefully if one layer fails, the other two will make up for it to prevent a compromise. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Thursday, 18 April 2013 17:54:41 UTC