[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
torsten at lodderstedt.net
torsten at lodderstedt.net
Thu Apr 14 15:31:48 UTC 2016
I meant the different threats and mitigations, not just this.
Sent by MailWise – See your emails as clean, short chats.
-------- Originalnachricht --------
Betreff: Re: [Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
Von: John Bradley <ve7jtb at ve7jtb.com>
An: Torsten Lodderstedt <torsten at lodderstedt.net>
Cc: William Denniss <wdenniss at google.com>,openid-specs-ab at lists.openid.net
>For this we have one proposal from Google in Connect and another proposal from Nov in OAuth.
>
>I think there is a effort to reconcile them. This is JS API stuff more than network based, so needs experts.
>
>John B.
>> On Apr 14, 2016, at 10:40 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>
>> How and when shall we start to put the pieces together?
>>
>> Am 14.04.2016 um 13:03 schrieb John Bradley:
>>> Yes.
>>>
>>> We should also work on a alternative for fragment for in browser JS. We do have a couple of proposals at this point.
>>>
>>>> On Apr 14, 2016, at 6:02 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>>
>>>> Am 12.04.2016 um 23:28 schrieb John Bradley:
>>>>> Basically fragment encoding is not a good idea any more other than for JS in the browser or for native apps using view controllers or system browsers.
>>>>>
>>>>> Servers really should support the form post response mode.
>>>> This should go into the new security threat model and mitigations document we talked about in the OAuth session.
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160414/60806e3e/attachment.html>
More information about the Openid-specs-ab
mailing list