[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

torsten at lodderstedt.net torsten at lodderstedt.net
Thu Apr 14 15:31:48 UTC 2016


I meant the different threats and mitigations, not just this. 

Sent by MailWise – See your emails as clean, short chats.

-------- Originalnachricht --------
Betreff: Re: [Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
Von: John Bradley <ve7jtb at ve7jtb.com>
An: Torsten Lodderstedt <torsten at lodderstedt.net>
Cc: William Denniss <wdenniss at google.com>,openid-specs-ab at lists.openid.net

>For this we have one proposal from Google in Connect and another proposal from Nov in OAuth.  
>
>I think there is a effort to reconcile them.    This is JS API stuff more than network based, so needs experts.
>
>John B.
>> On Apr 14, 2016, at 10:40 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> 
>> How and when shall we start to put the pieces together?
>> 
>> Am 14.04.2016 um 13:03 schrieb John Bradley:
>>> Yes.
>>> 
>>> We should also work on a alternative for fragment for in browser JS.  We do have a couple of proposals at this point.
>>> 
>>>> On Apr 14, 2016, at 6:02 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>> 
>>>> Am 12.04.2016 um 23:28 schrieb John Bradley:
>>>>> Basically fragment encoding is not a good idea any more other than for JS in the browser or for native apps using view controllers or system browsers.
>>>>> 
>>>>> Servers really should support the form post response mode.
>>>> This should go into the new security threat model and mitigations document we talked about in the OAuth session.
>>>> 
>> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160414/60806e3e/attachment.html>


More information about the Openid-specs-ab mailing list