[Openid-specs-ab] Transient Client Secret Extension for OAuth

Brian Campbell bcampbell at pingidentity.com
Mon Jul 29 06:28:57 UTC 2013


Really? Even when the value is, or can be, a high entropy pseudo-random
value?


On Mon, Jul 29, 2013 at 8:00 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Thinking about it overnight we need to also have a salt sent with the
> hash, to prevent rainbow tables attacks.
>
> On 2013-07-28, at 9:39 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>
> As some of you knows, passing the code securely to a native app on iOS
> platform is next to impossible. Malicious application may register the same
> custom scheme as the victim application and hope to obtain the code, whose
> success rate is rather high.
>
> We have discussed about it during the OpenID Conenct Meeting at IETF 87
> today, and I have captured the discussion in the form of I-D. It is pretty
> short and hopefully easy to read.
>
> You can find it at:
>
> https://bitbucket.org/Nat/drafts/src/
>
> Comments are welcome.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>  _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130729/9d4a897f/attachment.html>


More information about the Openid-specs-ab mailing list