[Openid-specs-ab] Spec call notes 2016-01-21

Nat Sakimura sakimura at gmail.com
Mon Jan 25 16:13:09 UTC 2016


OpenID AB/Connect WG Call (2016-01-21)
===============================================
Date & TIme: 2016-01-21 15:00Z - 16:30Z
Present: Nat, George, Nov, John

On the call, recent findings on the OAuth security has been talked. John
explained the result of the Darmstadt OAuth meetings. Documents in question
were:
[1] https://mailarchive.ietf.org/arch/msg/oauth/JIVxFBGsJBVtm7ljwJhPUm3Fr-w
[2]
https://docs.google.com/document/d/136Cz2iwUFMdoKWZPCqZRhkmfmHAlJ6kM5OyeXzGptU4/edit

Lengthy discussion followed.

The issuer compare assumes that the malicious endpoints came from discovery
rather than some static attack and the client_id compare assumes that two
authorization servers cannot have the same client_id for a given client.
Thus, neither way seemed to work.

The participants agreed to further investigate.

The meeting adjorned at 16:30 Z.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160125/b659c20e/attachment.html>


More information about the Openid-specs-ab mailing list