On 11/01/2013 10:01 PM, bitcoingrant@gmx.com wrote:

> Server provides a token for the client to sign.

Anyone else concerned about signing an arbitrary string?  Could be a
hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my own
randomly generated nonce, sign that, then pass the nonce and the
signature back to the server for verification.

-- 
Johnathan Corgan, Corgan Labs
SDR Training and Development Services
http://corganlabs.com