[Openid-specs-ab] Spec call notes 2016-01-21
Nat Sakimura
sakimura at gmail.com
Mon Jan 25 16:13:09 UTC 2016
OpenID AB/Connect WG Call (2016-01-21)
===============================================
Date & TIme: 2016-01-21 15:00Z - 16:30Z
Present: Nat, George, Nov, John
On the call, recent findings on the OAuth security has been talked. John
explained the result of the Darmstadt OAuth meetings. Documents in question
were:
[1] https://mailarchive.ietf.org/arch/msg/oauth/JIVxFBGsJBVtm7ljwJhPUm3Fr-w
[2]
https://docs.google.com/document/d/136Cz2iwUFMdoKWZPCqZRhkmfmHAlJ6kM5OyeXzGptU4/edit
Lengthy discussion followed.
The issuer compare assumes that the malicious endpoints came from discovery
rather than some static attack and the client_id compare assumes that two
authorization servers cannot have the same client_id for a given client.
Thus, neither way seemed to work.
The participants agreed to further investigate.
The meeting adjorned at 16:30 Z.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160125/b659c20e/attachment.html>
More information about the Openid-specs-ab
mailing list