[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
ve7jtb at ve7jtb.com
Sat Apr 23 14:57:33 UTC 2016
I think there are two discussions.
One is what the OAuth WG should do and that should be on the OAuth list.
There is a separate discussion about what Connect should recommend untill
OAuth addresses the issue.
I think the latter was how this thread started.
We not be should not wait for OAuth to recommend something before we
explain the existing mitigations in Connect.
The touchier topic is should we add anything new before OAuth decides.
To Brian's point about the AS not identifying itself in the response, that
was the recommended change from the Darmstadt meeting. I am however
hesitant to take that up as a Connect only fix even though it would work
just fine for Connect.
On Apr 23, 2016 9:04 AM, "Brian Campbell" <bcampbell at pingidentity.com>
> Just noticed a typo in my previous message. I meant to write "omission"
> rather than "commission" there. Should have said:
> My view is still that the attack is enabled by an *omission* in OAuth of
> the AS identifying itself in the authorization response. I think the fix
> should be at that layer too. Progress in the OAuth WG isn't exactly
> promising though...
> On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt <
> torsten at lodderstedt.net> wrote:
>> Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>>> My view is still that the attack is enabled by an commission in OAuth of
>>> the AS identifying itself in the authorization response. I think the fix
>>> should be at that layer too. Progress in the OAuth WG isn't exactly
>>> promising though...
>> Why don`t we bring this discussion to the OAuth WG? It`s nearly the same
>> group of people as on this list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab