[Openid-specs-ab] Issue #1703: Unsigned error response (openid/connect)
rolandh
issues-reply at bitbucket.org
Tue Nov 1 07:49:21 UTC 2022
New issue 1703: Unsigned error response
https://bitbucket.org/openid/connect/issues/1703/unsigned-error-response
Roland Hedberg:
One of the foundational design criteria with OIDC Federation was to have end-to-end protection of messages that was not dependent on TLS.
There is one response message that is not protected by an issuer signature and that is the error message.
After discussion between the editors we have decided to add a security consideration describing possible threats that appear as a result of this.
More information about the Openid-specs-ab
mailing list