[Openid-specs-ab] Issue #1750: PKCE and pre-auth code flow in VCI (openid/connect)

Joseph Heenan joseph at authlete.com
Tue Dec 13 11:51:40 UTC 2022 

Hi Tom

Perhaps ‘mitigation’ is not the best word to use here - the intent is to see if there’s something that provides equivalent session integrity protection as PKCE that we would recommend for this particular case where PKCE can’t be used. I think that intent should be fairly uncontentious.

Thanks

Joseph


> On 13 Dec 2022, at 05:14, Tom Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> There are 2000 new vulnerabilities posed by CISA every month. About 15% of those are severe.
>  How is it that you think odif can be in the business of posting mitigations?
> https://www.cvedetails.com/vulnerabilities-by-types.php <https://www.cvedetails.com/vulnerabilities-by-types.php>
> This is why I opposed the addition of attack models to the fapi docs.  Now you are going down the same rathole?
> These mitigations will be obsolete before the std is approved.
> 
>  ..tom
> 
> 
> On Wed, Dec 7, 2022 at 9:39 PM Kristina Yasuda via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> New issue 1750: PKCE and pre-auth code flow in VCI
> https://bitbucket.org/openid/connect/issues/1750/pkce-and-pre-auth-code-flow-in-vci <https://bitbucket.org/openid/connect/issues/1750/pkce-and-pre-auth-code-flow-in-vci>
> 
> Kristina Yasuda:
> 
> \(following[ Joseph’s comment](https://bitbucket.org/openid/connect/pull-requests/372#comment-351680555 <https://bitbucket.org/openid/connect/pull-requests/372#comment-351680555>)\) “I don’t think PKCE can be used with the pre-authorised code flow, we should probably explicitly state that \(and perhaps mention alternative mitigations\).”
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-ab <https://lists.openid.net/mailman/listinfo/openid-specs-ab>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20221213/76b26951/attachment.html>

More information about the Openid-specs-ab mailing list