[Openid-specs-fapi] [Bitbucket] Issue #123: Is it okay for request object URNs to be predictable? (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Wed Sep 13 15:34:35 UTC 2017

Joseph Heenan created issue #123:
Is it okay for request object URNs to be predictable?<https://bitbucket.org/openid/fapi/issues/123/is-it-okay-for-request-object-urns-to-be>

FAPI part 2 7.1 currently says:

Note that `request_uri` can be either URL or URN.
If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.

This would seem to imply that if a URN is used it is okay for the URN to be predictable.

I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).

[https://d301sr5gafysq2.cloudfront.net/4373ea877c7d/img/icons/jira/bug.png]     bug

[https://d301sr5gafysq2.cloudfront.net/4373ea877c7d/img/icons/jira/priority_major.png]  major

Component:      Part 2: RW Security

View this issue<https://bitbucket.org/openid/fapi/issues/123/is-it-okay-for-request-object-urns-to-be> or add a comment by replying to this email.

Unsubscribe from issue emails<https://bitbucket.org/api/1.0/repositories/openid/fapi/issue/123/unsubscribe/openid/df2bfe7836723d6e685249a416e7c899130d4b87/> for this repository.               [Bitbucket]  <https://bitbucket.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170913/69054c1b/attachment-0001.html>

More information about the Openid-specs-fapi mailing list