What kind of security is used to prevent unauthorized use of tokens?
We have always felt that the need for security must be balanced with the risk of exposure. There are two ways to minimize that risk: technical and financial. Tokens in the Clickshare Service have limited value – limited in time, and limited in dollar value (in that everyone we’re currently in discussion with wants begin by using the Service for small-value transactions ($.10 -> $1.00), as we had planned). The contents of the token are not readable by any of the Web Servers (who deal with the token as an opaque string in all cases). Therefore, private key encryption can be used for the token (since only the Authentication Server that issued the token has to read its contents). Second, several parameters are built into the service that can act as a “throttle” on the amount of use a token gets. This prevents a thief from rapidly acquiring volumes of chargable material (say, using a specially designed “agent” program). Thirdly, each token is anchored to one IP address, and valid for only o
