Richard, > IMHO, authenticating access requests makes for a more secure protocol with > not much more cost (the credentials are already there, since Consumer > already has to authenticate to the SP to get the request token). But YMMV. I would prefer the authentication PROTOCOL(S) only used the access token secret (after the delegation flow). If a particular Service wants to discourage Clients from handing off access tokens, that Service can deliberately include the Client's shared secret as part of the access token secret -- and tell the Clients this. Consequently, sharing access tokens is equivalent to sharing Client credentials for that Service, but Clients of other Services are not restricted -- and we don't need any explicit options (complexity) in the spec for this feature. [Service documentation should be sufficient for this (no discovery necessary), as it is hard to imagine a Client dynamically deciding whether or not to hand off an access token.] James Manger James.H.Manger at team.telstra.com Identity and security team — Chief Technology Office — Telstra
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.