I think the obvious next step was / is to make OAuth 1.0A into OAuth 1.1 by mandating TLS/SSL and declare the SSL-mimicking parts like the timestamp, nonce optional (i.e. ignored). Anyone can just do it by fiat, since it will be backwards compatible with OAuth 1.0A clients. They'll just send the proper timestamps and nonces, but you are ignore those fields.
I found those fields were 90% of the problem with OAuth 1.0A implementations. Maybe there's security value in those parts in an SSL environment I am missing, but I doubt it since SSL does the exact same thing.
I found those fields were 90% of the problem with OAuth 1.0A implementations. Maybe there's security value in those parts in an SSL environment I am missing, but I doubt it since SSL does the exact same thing.